[Snort-users] Unable to run Snort in IPS mode
ashish.sharma3 at ...6440...
Mon Feb 22 09:22:44 EST 2010
One of my drop rules in 'local.rules' is of following type:
'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping activity";sid:1000002;)'
Here my intention is to drop any packet that is received for ICMP ping activity, but actually when I run my 'snort',
And 'Ping' on the destination machine only alerts are logged and I receive the response of my 'Ping' command too.
But I expect this should not happen with 'drop' rule, no response should be received for this case.
From: Nigel Houghton [mailto:nhoughton at ...1935...]
Sent: Monday, February 22, 2010 7:42 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode
On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 at ...6440...> wrote:
> Please find attached my 'local.rules' file.
> Ashish Sharma
> -----Original Message-----
> From: rmkml [mailto:rmkml at ...953...]
> Sent: Monday, February 22, 2010 6:49 PM
> To: Sharma, Ashish
> Cc: rmkml at ...953...
> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
> ok thx you Sharma,
> could you send local.rules please?
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>> First of all thanks for helping.
>> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>> For your reference my 'Snort.conf' is attached.
>> Thanks for helping again.
>> Ashish Sharma
>> -----Original Message-----
>> From: rmkml [mailto:rmkml at ...953...]
>> Sent: Monday, February 22, 2010 5:15 PM
>> To: Sharma, Ashish
>> Cc: rmkml at ...953...
>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>> Hi Sharma,
>> you start snort with cmd line:
>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>> please remove space like ... -c /etc/snort/snort.conf ...
>> on your snort.conf, what is RULE_PATH variable contains please? or send
>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>> I am trying to run Snort on this machine in IPS mode.
>>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>> 1. Downloaded 'snort-188.8.131.52.tar.gz'
>>> 2. Extracted the binaries.
>>> 3. did './configure --enable-inline'
>>> 4. did 'make'
>>> 5. did 'make install'
>>> 6. copied snort rules and snort conf at appropriate location.
>>> 7. executed the following command :
>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>> 8. Snort launches with the traces :
>>> Enabling inline operation
>>> Running in IDS mode
>>> --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing rule chains...
>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>>> Fatal Error, Quitting..
>>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>> 9. What is the problem , please help!!!!!
>>> What should I do in all to let my Snort run in IPS mode
>>> Thanks in advance
>>> Ashish Sharma
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
You have compiled Snort with --enable-inline. Your snort.conf looks
fine. The rules you have need to use the "drop" keyword instead of
"alert" so that they will drop the traffic in inline mode.
So your two rules would become:
drop tcp any any -> 184.108.40.206 25 (msg: "Test activity"; sid:1000003;)
drop tcp any any -> 220.127.116.11 3310 (msg: "Test activity"; sid:1000004;)
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
More information about the Snort-users