[Snort-sigs] Up and Running

Joel Esler jesler at ...435...
Tue Sep 11 13:37:54 EDT 2012

On Sep 11, 2012, at 1:20 PM, PR <oly562 at ...2420...> wrote:

> alrighty, i removed the # in front of $RULES also, mv'd so_rules and preproc_rules in /etc/snort and snort.conf configed to see them.
> here's the stdout:
> notice the whitelist complaining and..
> Complaints below:
> 1.  Reputation config: 
> WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.

> 2.  WARNING: flowbits key 'file.fli' is set but not ever checked. and 20 more like this...
Are you using pulled pork.

> 3. WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
This is an option in pulledpork.  It will place dynamic rules in the correct directory.

> 4. WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.

If you aren't inline, this is correct.

> 5. wondering about these few entries as well:
> 0 decoder rules
>     0 preprocessor rules
> zero?

If you aren't using preprocessor or decoder rules, that's correct.  These are commented out in the snort.conf by default.

> and...
> pcap DAQ configured to passive.

That's not a warning, that's informational.

> if you can see anything wrong, please let me know, i feel im getting close... lol
> thanks, pete

I don't show any stoppers.

> <snip>
> Commencing packet processing (pid=2828)

This means that Snort is running.

> 2nd STDOUT: for barnyard2 command:
> root at ...3731...:/var/lib/mysql/snort# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config &

There is a command line option for barnyard2 to daemonize it.  You don't need to have "&" there.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-sigs mailing list