[Snort-users] Unable to run Snort in IPS mode

Sharma, Ashish ashish.sharma3 at ...6440...
Mon Feb 22 08:57:23 EST 2010


Rmkml,

Yes , but it's compiled for IDS mode only.

With regards
Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml at ...953...] 
Sent: Monday, February 22, 2010 7:18 PM
To: Sharma, Ashish
Cc: rmkml at ...953...
Subject: RE: [Snort-users] Unable to run Snort in IPS mode

ok thx you,
do you have another snort binary on this host please?
Regards
Rmkml


On Mon, 22 Feb 2010, Sharma, Ashish wrote:

> Rmkml,
>
> Please find attached my 'local.rules' file.
>
> Thanks
> Ashish Sharma
>
> -----Original Message-----
> From: rmkml [mailto:rmkml at ...953...]
> Sent: Monday, February 22, 2010 6:49 PM
> To: Sharma, Ashish
> Cc: rmkml at ...953...
> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
>
> ok thx you Sharma,
> could you send local.rules please?
> Regards
> Rmkml
>
>
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>
>> Rmkml,
>>
>> First of all thanks for helping.
>>
>> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>>
>> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>>
>> For your reference my 'Snort.conf' is attached.
>>
>> Thanks for helping again.
>>
>> Ashish Sharma
>>
>> -----Original Message-----
>> From: rmkml [mailto:rmkml at ...953...]
>> Sent: Monday, February 22, 2010 5:15 PM
>> To: Sharma, Ashish
>> Cc: rmkml at ...953...
>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>
>> Hi Sharma,
>> you start snort with cmd line:
>>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>> please remove space like ... -c /etc/snort/snort.conf ...
>> on your snort.conf, what is RULE_PATH variable contains please? or send
>> snort.conf...
>> Regards
>> Rmkml
>>
>>
>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>
>>> Hi,
>>>
>>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>>
>>> I am trying to run Snort on this machine in IPS mode.
>>>
>>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>>
>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>>> 2. Extracted the binaries.
>>> 3. did './configure --enable-inline'
>>> 4. did 'make'
>>> 5. did 'make install'
>>> 6. copied snort rules and snort conf at appropriate location.
>>> 7. executed the following command :
>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>> 8. Snort launches with the traces :
>>>
>>> Enabling inline operation
>>> Running in IDS mode
>>>
>>> --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> ..................................
>>>
>>> Initializing rule chains...
>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>>> Fatal Error, Quitting..
>>>
>>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>>
>>> 9. What is the problem , please help!!!!!
>>>
>>> What should I do in all to let my Snort run in IPS mode
>>>
>>> Thanks in advance
>>>
>>> Ashish Sharma
>>>
>>
>




More information about the Snort-users mailing list