[Snort-users] start snort in IDS mode

Plantier, Spencer spencer.plantier at ...12801...
Thu Feb 10 07:39:38 EST 2005


I still get this error: 

Initializing rule chains...

ERROR: /opt/snort/etc/snort.conf(43) => NULL rule type

Fatal Error, Quitting..

Thanks,

 

 

Spencer

________________________________

From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
Sent: Thursday, February 10, 2005 10:33 AM
To: Plantier, Spencer
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] start snort in IDS mode

 

So i guess your up and running so :-)

Glad to be of some help.

	-----Original Message-----
	From: Plantier, Spencer [mailto:spencer.plantier at ...12801...] 
	Sent: 10 February 2005 15:33
	To: wfitzgerald at ...9307...
	Cc: snort-users at lists.sourceforge.net
	Subject: RE: [Snort-users] start snort in IDS mode

	This is what I have. 

	 

	 

	Example of snort.conf

	 

	include $RULE_PATH /opt/snort/rules/smtp.rules^M

	include $RULE_PATH /opt/snort/rules/imap.rules^M

	include $RULE_PATH /opt/snort/rules/pop2.rules^M

	include $RULE_PATH /opt/snort/rules/pop3.rules^M

	 

	 

	 

	Thanks, opt/snort/etc

	# ls -l

	total 706

	-rw-r--r--   1 root     other       6004 Feb 10 08:36 Makefile

	-rw-r--r--   1 root     other        230 Feb 10 08:36
Makefile.am

	-rw-r--r--   1 root     other       5464 Feb 10 08:36
Makefile.in

	-rw-r--r--   1 root     other       3521 Feb 10 08:36
classification.config

	-rw-r--r--   1 root     other       8066 Feb 10 08:36
gen-msg.map

	-rw-r--r--   1 root     other       1622 Feb 10 08:36 generators

	-rw-r--r--   1 root     other        608 Feb 10 08:36
reference.config

	-rw-r--r--   1 root     other         58 Feb 10 08:36 sid

	-rw-r--r--   1 root     other     235477 Feb 10 08:36
sid-msg.map

	-rw-r--r--   1 root     other      28162 Feb 10 09:37 snort.conf

	-rw-r--r--   1 root     other       2319 Feb 10 08:36
threshold.conf

	-rw-r--r--   1 root     other      53841 Feb 10 08:36
unicode.map

	#

	 

	#  cd ..

	# ls -l

	total 12

	drwxr-xr-x   2 root     other        512 Feb 10 08:33 bin

	drwxr-xr-x   2 root     other        512 Feb 10 09:35 etc

	drwxr-xr-x   2 root     other        512 Feb 10 08:35 folder

	drwxr-xr-x   3 root     other        512 Feb 10 08:33 man

	drwxr-xr-x   2 root     other       1536 Feb 10 08:36 rules

	# cd rules

	# ls -l

	total 2018

	-rw-r--r--   1 root     other       6551 Feb 10 08:36 Makefile

	-rw-r--r--   1 root     other        777 Feb 10 08:36
Makefile.am

	-rw-r--r--   1 root     other       6009 Feb 10 08:36
Makefile.in

	-rw-r--r--   1 root     other       4768 Feb 10 08:36
attack-responses.rules

	-rw-r--r--   1 root     other      16612 Feb 10 08:36
backdoor.rules

	-rw-r--r--   1 root     other       3000 Feb 10 08:36
bad-traffic.rules

	-rw-r--r--   1 root     other       7212 Feb 10 08:36 chat.rules

	-rw-r--r--   1 root     other       6783 Feb 10 08:36 ddos.rules

	-rw-r--r--   1 root     other      63449 Feb 10 08:36
deleted.rules

	-rw-r--r--   1 root     other       5381 Feb 10 08:36 dns.rules

	-rw-r--r--   1 root     other       4831 Feb 10 08:36 dos.rules

	-rw-r--r--   1 root     other        471 Feb 10 08:36
experimental.rules

	-rw-r--r--   1 root     other      24415 Feb 10 08:36
exploit.rules

	-rw-r--r--   1 root     other       3112 Feb 10 08:36
finger.rules

	-rw-r--r--   1 root     other      20491 Feb 10 08:36 ftp.rules

	-rw-r--r--   1 root     other      15618 Feb 10 08:36
icmp-info.rules

	-rw-r--r--   1 root     other       4488 Feb 10 08:36 icmp.rules

	-rw-r--r--   1 root     other      12577 Feb 10 08:36 imap.rules

	-rw-r--r--   1 root     other       2430 Feb 10 08:36 info.rules

	-rw-r--r--   1 root     other        199 Feb 10 08:36
local.rules

	-rw-r--r--   1 root     other      16657 Feb 10 08:36 misc.rules

	-rw-r--r--   1 root     other       2866 Feb 10 08:36
multimedia.rules

	-rw-r--r--   1 root     other        816 Feb 10 08:36
mysql.rules

	-rw-r--r--   1 root     other     118680 Feb 10 08:36
netbios.rules

	-rw-r--r--   1 root     other       3895 Feb 10 08:36 nntp.rules

	-rw-r--r--   1 root     other     176913 Feb 10 08:36
oracle.rules

	-rw-r--r--   1 root     other       1383 Feb 10 08:36
other-ids.rules

	-rw-r--r--   1 root     other       3953 Feb 10 08:36 p2p.rules

	-rw-r--r--   1 root     other       5323 Feb 10 08:36
policy.rules

	-rw-r--r--   1 root     other       1228 Feb 10 08:36 pop2.rules

	-rw-r--r--   1 root     other       8578 Feb 10 08:36 pop3.rules

	-rw-r--r--   1 root     other       5061 Feb 10 08:36 porn.rules

	-rw-r--r--   1 root     other      51378 Feb 10 08:36 rpc.rules

	-rw-r--r--   1 root     other       2920 Feb 10 08:36
rservices.rules

	-rw-r--r--   1 root     other       4088 Feb 10 08:36 scan.rules

	-rw-r--r--   1 root     other       4727 Feb 10 08:36
shellcode.rules

	-rw-r--r--   1 root     other      22090 Feb 10 08:36 smtp.rules

	-rw-r--r--   1 root     other       4915 Feb 10 08:36 snmp.rules

	-rw-r--r--   1 root     other      14409 Feb 10 08:36 sql.rules

	-rw-r--r--   1 root     other       3572 Feb 10 08:36
telnet.rules

	-rw-r--r--   1 root     other       2560 Feb 10 08:36 tftp.rules

	-rw-r--r--   1 root     other       1211 Feb 10 08:36
virus.rules

	-rw-r--r--   1 root     other      10229 Feb 10 08:36
web-attacks.rules

	-rw-r--r--   1 root     other     100668 Feb 10 08:36
web-cgi.rules

	-rw-r--r--   1 root     other       7419 Feb 10 08:36
web-client.rules

	-rw-r--r--   1 root     other       9166 Feb 10 08:36
web-coldfusion.rules

	-rw-r--r--   1 root     other       9484 Feb 10 08:36
web-frontpage.rules

	-rw-r--r--   1 root     other      37230 Feb 10 08:36
web-iis.rules

	-rw-r--r--   1 root     other      94963 Feb 10 08:36
web-misc.rules

	-rw-r--r--   1 root     other      35801 Feb 10 08:36
web-php.rules

	-rw-r--r--   1 root     other        573 Feb 10 08:36 x11.rules

	 

	 

	Spencer

	
________________________________


	From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
	Sent: Thursday, February 10, 2005 9:23 AM
	To: Plantier, Spencer; snort-users at lists.sourceforge.net
	Subject: RE: [Snort-users] start snort in IDS mode

	 

	I wonder if you have the rules directory in the correct place.

	you should have:

	/opt/snort/etc

	/opt/snort/rules

	 

	in the snort.conf file: 

	# Path to your rules files (this can be a relative path)

	var RULE_PATH ../rules

	this goes up one directory from etc to rules. if you copied the
rules to the etc directory then change the RULES_PATH to reflect this.

	 

	 

		-----Original Message-----
		From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Plantier,
Spencer
		Sent: 10 February 2005 14:17
		To: snort-users at lists.sourceforge.net
		Subject: [Snort-users] start snort in IDS mode

		I got IDS to start but I got the following output:

		opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i hme0

		Running in IDS mode

		Initializing Network Interface hme0

		        --== Initializing Snort ==--

		Initializing Output Plugins!

		Decoding Ethernet on interface hme0

		Initializing Preprocessors!

		Initializing Plug-ins!

		Parsing Rules file /opt/snort/etc/snort.conf

		+++++++++++++++++++++++++++++++++++++++++++++++++++

		Initializing rule chains...

		,-----------[Flow Config]----------------------

		| Stats Interval:  0

		| Hash Method:     2

		| Memcap:          10485760

		| Rows  :          4099

		| Overhead Bytes:  16400(%0.16)

		`----------------------------------------------

		No arguments to frag2 directive, setting defaults to:

		    Fragment timeout: 60 seconds

		    Fragment memory cap: 4194304 bytes

		    Fragment min_ttl:   0

		    Fragment ttl_limit: 5

		    Fragment Problems: 0

		    Self preservation threshold: 500

		    Self preservation period: 90

		    Suspend threshold: 1000

		    Suspend period: 30

		Stream4 config:

		    Stateful inspection: ACTIVE

		    Session statistics: INACTIVE

		    Session timeout: 30 seconds

		    Session memory cap: 8388608 bytes

		    State alerts: INACTIVE

		    Evasion alerts: INACTIVE

		    Scan alerts: INACTIVE

		    Log Flushed Streams: INACTIVE

		    MinTTL: 1

		    TTL Limit: 5

		    Async Link: 0

		    State Protection: 0

		    Self preservation threshold: 50

		    Self preservation period: 90

		    Suspend threshold: 200

		    Suspend period: 30

		    Enforce TCP State: INACTIVE

		    Midstream Drop Alerts: INACTIVE

		Stream4_reassemble config:

		    Server reassembly: INACTIVE

		    Client reassembly: ACTIVE

		    Reassembler alerts: ACTIVE

		    Zero out flushed packets: INACTIVE

		    flush_data_diff_size: 500

		    Ports: 21 23 25 53 80 110 111 143 513 1433 

		    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433


		HttpInspect Config:

		    GLOBAL CONFIG

		      Max Pipeline Requests:    0

		      Inspection Type:          STATELESS

		      Detect Proxy Usage:       NO

		      IIS Unicode Map Filename:
/opt/snort/etc/unicode.map

		      IIS Unicode Map Codepage: 1252

		    DEFAULT SERVER CONFIG:

		      Ports: 80 8080 8180 

		      Flow Depth: 300

		      Max Chunk Length: 500000

		      Inspect Pipeline Requests: YES

		      URI Discovery Strict Mode: NO

		      Allow Proxy Usage: NO

		      Disable Alerting: NO

		      Oversize Dir Length: 500

		      Only inspect URI: NO

		      Ascii: YES alert: NO

		      Double Decoding: YES alert: YES

		      %U Encoding: YES alert: YES

		      Bare Byte: YES alert: YES

		      Base36: OFF

		      UTF 8: OFF

		      IIS Unicode: YES alert: YES

		      Multiple Slash: YES alert: NO

		      IIS Backslash: YES alert: NO

		      Directory Traversal: YES alert: NO

		      Web Root Traversal: YES alert: YES

		      Apache WhiteSpace: YES alert: NO

		      IIS Delimiter: YES alert: NO

		      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

		      Non-RFC Compliant Characters: NONE

		rpc_decode arguments:

		    Ports to decode RPC on: 111 32771 

		    alert_fragments: INACTIVE

		    alert_large_fragments: ACTIVE

		    alert_incomplete: ACTIVE

		    alert_multiple_requests: ACTIVE

		telnet_decode arguments:

		    Ports to decode telnet on: 21 23 25 119 

		Portscan Detection Config:

		    Detect Protocols:  TCP UDP ICMP IP

		    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan

		    Sensitivity Level: Low

		    Memcap (in bytes): 10000000

		    Number of Nodes:   36900

		ERROR: /opt/snort/etc/../rules(1) => NULL rule type

		Fatal Error, Quitting..

		#

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050210/f913077c/attachment.html>


More information about the Snort-users mailing list