[Snort-users] Unable to run Snort in IPS mode

Joel Esler jesler at ...1935...
Mon Feb 22 09:14:14 EST 2010


rmkml,

Please reply to all (cc'ing the Snort-Users list) when replying to a
Snort-Users email?  Thank you.

J

On Mon, Feb 22, 2010 at 8:57 AM, Sharma, Ashish <ashish.sharma3 at ...6440...>wrote:

> Rmkml,
>
> Yes , but it's compiled for IDS mode only.
>
> With regards
> Ashish Sharma
>
> -----Original Message-----
> From: rmkml [mailto:rmkml at ...953...]
> Sent: Monday, February 22, 2010 7:18 PM
> To: Sharma, Ashish
> Cc: rmkml at ...953...
> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
>
> ok thx you,
> do you have another snort binary on this host please?
> Regards
> Rmkml
>
>
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>
> > Rmkml,
> >
> > Please find attached my 'local.rules' file.
> >
> > Thanks
> > Ashish Sharma
> >
> > -----Original Message-----
> > From: rmkml [mailto:rmkml at ...953...]
> > Sent: Monday, February 22, 2010 6:49 PM
> > To: Sharma, Ashish
> > Cc: rmkml at ...953...
> > Subject: RE: [Snort-users] Unable to run Snort in IPS mode
> >
> > ok thx you Sharma,
> > could you send local.rules please?
> > Regards
> > Rmkml
> >
> >
> > On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >
> >> Rmkml,
> >>
> >> First of all thanks for helping.
> >>
> >> I don't think there is any problem with command formatting or
> 'RULE_PATH' variable error.
> >>
> >> Reason being that when I comment out the 'reject' and 'sdrop' rules from
> 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to
> run fine and alerts are generated and logged.
> >>
> >> For your reference my 'Snort.conf' is attached.
> >>
> >> Thanks for helping again.
> >>
> >> Ashish Sharma
> >>
> >> -----Original Message-----
> >> From: rmkml [mailto:rmkml at ...953...]
> >> Sent: Monday, February 22, 2010 5:15 PM
> >> To: Sharma, Ashish
> >> Cc: rmkml at ...953...
> >> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
> >>
> >> Hi Sharma,
> >> you start snort with cmd line:
> >>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >> please remove space like ... -c /etc/snort/snort.conf ...
> >> on your snort.conf, what is RULE_PATH variable contains please? or send
> >> snort.conf...
> >> Regards
> >> Rmkml
> >>
> >>
> >> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
> >>
> >>> Hi,
> >>>
> >>> I have a fedora core 10 virtual machine running on a sun virtual box.
> >>>
> >>> I am trying to run Snort on this machine in IPS mode.
> >>>
> >>> I followed the following steps (I had already installed the
> prerequisites for Snort IPS):
> >>>
> >>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
> >>> 2. Extracted the binaries.
> >>> 3. did './configure --enable-inline'
> >>> 4. did 'make'
> >>> 5. did 'make install'
> >>> 6. copied snort rules and snort conf at appropriate location.
> >>> 7. executed the following command :
> >>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l
> /var/log/snort'
> >>> 8. Snort launches with the traces :
> >>>
> >>> Enabling inline operation
> >>> Running in IDS mode
> >>>
> >>> --== Initializing Snort ==--
> >>> Initializing Output Plugins!
> >>> Initializing Preprocessors!
> >>> ..................................
> >>>
> >>> Initializing rule chains...
> >>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type:
> reject.
> >>> Fatal Error, Quitting..
> >>>
> >>> 8. As you can see I have a test rule in local.rule that have a 'reject'
> rule in it but snort is not accepting it, same is the case for 'sdrop' rule
> also.
> >>>
> >>> 9. What is the problem , please help!!!!!
> >>>
> >>> What should I do in all to let my Snort run in IPS mode
> >>>
> >>> Thanks in advance
> >>>
> >>> Ashish Sharma
> >>>
> >>
> >
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100222/5a09022c/attachment.html>


More information about the Snort-users mailing list