[Snort-users] Unable to run Snort in IPS mode

Sharma, Ashish ashish.sharma3 at ...6440...
Mon Feb 22 08:37:52 EST 2010


Rmkml,

Please find attached my 'local.rules' file.

Thanks
Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml at ...953...] 
Sent: Monday, February 22, 2010 6:49 PM
To: Sharma, Ashish
Cc: rmkml at ...953...
Subject: RE: [Snort-users] Unable to run Snort in IPS mode

ok thx you Sharma,
could you send local.rules please?
Regards
Rmkml


On Mon, 22 Feb 2010, Sharma, Ashish wrote:

> Rmkml,
>
> First of all thanks for helping.
>
> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>
> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>
> For your reference my 'Snort.conf' is attached.
>
> Thanks for helping again.
>
> Ashish Sharma
>
> -----Original Message-----
> From: rmkml [mailto:rmkml at ...953...]
> Sent: Monday, February 22, 2010 5:15 PM
> To: Sharma, Ashish
> Cc: rmkml at ...953...
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> Hi Sharma,
> you start snort with cmd line:
>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
> please remove space like ... -c /etc/snort/snort.conf ...
> on your snort.conf, what is RULE_PATH variable contains please? or send
> snort.conf...
> Regards
> Rmkml
>
>
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>
>> Hi,
>>
>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>
>> I am trying to run Snort on this machine in IPS mode.
>>
>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>
>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>> 2. Extracted the binaries.
>> 3. did './configure --enable-inline'
>> 4. did 'make'
>> 5. did 'make install'
>> 6. copied snort rules and snort conf at appropriate location.
>> 7. executed the following command :
>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>> 8. Snort launches with the traces :
>>
>> Enabling inline operation
>> Running in IDS mode
>>
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> ..................................
>>
>> Initializing rule chains...
>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>> Fatal Error, Quitting..
>>
>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>
>> 9. What is the problem , please help!!!!!
>>
>> What should I do in all to let my Snort run in IPS mode
>>
>> Thanks in advance
>>
>> Ashish Sharma
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.rules
Type: application/octet-stream
Size: 517 bytes
Desc: local.rules
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100222/8db38d38/attachment.obj>


More information about the Snort-users mailing list