[Snort-users] unable to wash traffic through rules files

Erek Adams erek at ...950...
Mon Jan 13 06:29:08 EST 2003


On Sun, 12 Jan 2003, don wrote:

> I am using snort 1.9.0 and am unable to get it to work pse see the below
> noted I would be most grateful for any ideas as
> to what I am doing wrong. I am fully conversant with tcpdump/ethereal
> and the such but this is stumping me!!!
>
> monkeylabs:/home/don/Documents/snort-1.9.0/src # ./snort -dvr
> /home/don/ch1.capture -A full -c netbios.rules
> Initializing Output Plugins!
> Log directory = /var/log/snort
> TCPDUMP file reading mode.
> Reading network traffic from "/home/don/ch1.capture" file.
> snaplen = 65535
>
>         --== Initializing Snort ==--
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file netbios.rules
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: Unable to open rules file: netbios.rules or ./netbios.rules
> Fatal Error, Quitting..

[...snip...]

Ummm....  It can't find the file "netbios.rules" or "./netbios.rules".
Put in the full path to the file that you intend to use and that error
should be fixed.

But...  You'll have another error then.  Save yourself the time and simply
configure the snort.conf that comes with Snort.  Simply fill in HOME_NET
with the subnet that you want to watch and set EXTERNAL to !$HOME_NET (not
HOME_NET).  Then for the other plugins, you can configure them, but for
testing, you'd be fine to leave them at your defaults.

Hope that helps!

-----
Erek Adams

   "When things get weird the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list