[Snort-users] Snort-users Digest, Vol 95, Issue 120

wyomesh deepanker wyomeshd at ...131...
Thu May 8 12:57:46 EDT 2014


Read <Snort Cook Book>


 
The World Is Not Enough...
On Wednesday, April 23, 2014 12:53 PM, "snort-users-request at ...3471...ge.net" <snort-users-request at lists.sourceforge.net> wrote:
 
Send Snort-users mailing list submissions to
    snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
    snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
    snort-users-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: Problem updating rule set with pulledpork (Jeremy Hoel)
   2. Re: FATAL ERROR: /etc/snort/snort.conf(0) Unable to open
      rules file "/etc/snort/snort.conf": Permission denied.#012
      (Jeremy Hoel)
   3. Re: FATAL ERROR: /etc/snort/snort.conf(0) Unable to open
      rules file "/etc/snort/snort.conf": Permission denied.#012
      (Teo En Ming)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Apr 2014 00:25:59 -0600
From: Jeremy Hoel <jthoel at ...11827...>
Subject: Re: [Snort-users] Problem updating rule set with pulledpork
To: basant subba <basantsubba at ...11827...>
Cc: "snort-users at lists.sourceforge.net"
    <Snort-users at lists.sourceforge.net>
Message-ID:
    <CAH_p-VMEXp__znfYom0S+5fuUf=w16=_2SpPfVVEjAJeVVf+Dw at ...14676......>
Content-Type: text/plain; charset="utf-8"

If you post the error and your pulledpork configuration (minus the
commented lines) we might be able to help solve the problem.

The configuration file is pretty well documented.


On Tue, Apr 22, 2014 at 8:02 PM, basant subba <basantsubba at ...11827...> wrote:

> I am trying to update my snort rule set with pulled pork but every time
> its throwing some error message about misconfiguration. Can anyone please
> provide a link to tutorial on how to update my snort rule set with pulled
> pork?
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Wed, 23 Apr 2014 00:47:06 -0600
From: Jeremy Hoel <jthoel at ...11827...>
Subject: Re: [Snort-users] FATAL ERROR: /etc/snort/snort.conf(0)
    Unable to open rules file "/etc/snort/snort.conf": Permission
    denied.#012
To: bogdan at ...16812...,     "snort-users at lists.sourceforge.net"
    <snort-users at lists.sourceforge.net>
Message-ID:
    <CAH_p-VNWqB+t-qF-x5cAoPjYL2fjhaD3fWGZdKwhbq39jH6odQ at ...11828...>
Content-Type: text/plain; charset="utf-8"

Please remember to reply to the list.  And does snort have rx access to
/etc/snort?  Not just the files, but the folder.

also, what command are you using to start snort?  Is it a file that came
from the yum repo or did you compile from source and use one included?

The error message makes it sound like it's looking for a rule file called
/etc/snort/snort.conf, but i don't have a snort box in front of me and you
aren't trying to include snort.conf in your snort.conf (self inclusion) so
it's not that.  it could be the way you're calling snort which is why I'm
asking to see the command/script.


On Wed, Apr 23, 2014 at 12:30 AM, Bogdan Grabinski <bogdan at ...16812...>wrote:

>  I attached snort.conf
>
>
> On 4/23/2014 2:14 AM, Jeremy Hoel wrote:
>
> Can you paste the output of your snort.conf file..   Or at least the
> includes section near the bottom for the rules?
>
>
> On Tue, Apr 22, 2014 at 11:42 PM, Bogdan Grabinski <bogdan at ...16812...>wrote:
>
>>
>> OS Centos 6.5
>> intel 64bit
>>
>> When I use:
>> service snortd start
>> I get message that it fails, and /var/log/messages report FATAL ERROR
>>
>> If I copy the same script from /etc/rc.d/init.d/snortd to /root
>>
>> then starting the snort as:
>> /root/snortd start
>> works well ( no problems )
>>
>>
>> Please help
>>
>>
>> FROM: /var/log/messages
>>
>> ----------------------------------------------------------------------------
>> Apr 23 01:20:57 cafe7 snort[11908]: Running in IDS mode
>> Apr 23 01:20:57 cafe7 snort[11908]:
>> Apr 23 01:20:57 cafe7 snort[11908]:         --== Initializing Snort ==--
>> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Output Plugins!
>> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Preprocessors!
>> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Plug-ins!
>> Apr 23 01:20:57 cafe7 snort[11908]: Parsing Rules file
>> "/etc/snort/snort.conf"
>> Apr 23 01:20:57 cafe7 snort[11908]: FATAL ERROR:
>> /etc/snort/snort.conf(0) Unable to open rules file
>> "/etc/snort/snort.conf": Permission denied.#012
>>
>> ----------------------------------------------------------------------------
>>
>>
>> [root at ...16813... ~]# ll /etc/snort/
>> total 4228
>> drwxr-xr-x.   5 snort snort    4096 Apr 22 19:42 .
>> drwxr-xr-x. 129 root  root    12288 Apr 22 20:06 ..
>> -rw-r--r--.   1 snort snort    3854 Mar 17 15:00 classification.config
>> -rw-r--r--.   1 snort snort    1880 Apr 14 02:53 disablesid.conf
>> -rw-r--r--.   1 snort snort    2092 Apr 14 02:53 dropsid.conf
>> -rw-r--r--.   1 snort snort    2078 Apr 14 02:53 enablesid.conf
>> -rw-r--r--.   1 snort snort   31162 Oct 24 17:00 gen-msg.map
>> -rw-r--r--.   1 snort snort    1510 Apr 14 02:53 modifysid.conf
>> drwxr-xr-x.   2 snort snort    4096 Mar 17 14:59 preproc_rules
>> -rw-r--r--.   1 snort snort   10312 Apr 14 02:53 pulledpork.conf
>> -rw-r--r--.   1 snort snort     746 Mar 17 15:00 reference.config
>> drwxr-xr-x.   2 snort snort    4096 Apr 22 18:09 rules
>> -rw-r--r--.   1 snort snort 4140731 Mar 17 15:03 sid-msg.map
>> -rw-r--r--.   1 snort snort   27701 Apr 22 18:09 snort.conf
>> drwxr-xr-x.   4 snort snort    4096 Feb 26 12:31 so_rules
>> -rw-r--r--.   1 snort snort    2556 Mar 17 15:00 threshold.conf
>> -rw-r--r--.   1 snort snort   53841 Mar 17 15:00 unicode.map
>> [root at ...16813... ~]#
>> [r
>>
>>
>> ------------------------------------------------------------------------------
>> Start Your Social Network Today - Download eXo Platform
>> Build your Enterprise Intranet with eXo Platform Software
>> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>> Get Started Now And Turn Your Intranet Into A Collaboration Platform
>> http://p.sf.net/sfu/ExoPlatform
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Wed, 23 Apr 2014 15:01:13 +0800
From: Teo En Ming <teo.en.ming at ...11827...>
Subject: Re: [Snort-users] FATAL ERROR: /etc/snort/snort.conf(0)
    Unable to open rules file "/etc/snort/snort.conf": Permission
    denied.#012
To: bogdan at ...16812...
Cc: Snort Users <Snort-users at lists.sourceforge.net>
Message-ID:
    <CAKhF0wc-LGJ-_yU-PGZqcM9m7LJNbdq3kdNKF+aAtjHeZ_pxwg at ...11828...>
Content-Type: text/plain; charset="utf-8"

Did you turn off selinux?

echo 0 > /selinux/enforce

Teo En Ming


On Wed, Apr 23, 2014 at 1:42 PM, Bogdan Grabinski <bogdan at ...16812...>wrote:

>
> OS Centos 6.5
> intel 64bit
>
> When I use:
> service snortd start
> I get message that it fails, and /var/log/messages report FATAL ERROR
>
> If I copy the same script from /etc/rc.d/init.d/snortd to /root
>
> then starting the snort as:
> /root/snortd start
> works well ( no problems )
>
>
> Please help
>
>
> FROM: /var/log/messages
>
> ----------------------------------------------------------------------------
> Apr 23 01:20:57 cafe7 snort[11908]: Running in IDS mode
> Apr 23 01:20:57 cafe7 snort[11908]:
> Apr 23 01:20:57 cafe7 snort[11908]:         --== Initializing Snort ==--
> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Output Plugins!
> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Preprocessors!
> Apr 23 01:20:57 cafe7 snort[11908]: Initializing Plug-ins!
> Apr 23 01:20:57 cafe7 snort[11908]: Parsing Rules file
> "/etc/snort/snort.conf"
> Apr 23 01:20:57 cafe7 snort[11908]: FATAL ERROR:
> /etc/snort/snort.conf(0) Unable to open rules file
> "/etc/snort/snort.conf": Permission denied.#012
>
> ----------------------------------------------------------------------------
>
>
> [root at ...16813... ~]# ll /etc/snort/
> total 4228
> drwxr-xr-x.   5 snort snort    4096 Apr 22 19:42 .
> drwxr-xr-x. 129 root  root    12288 Apr 22 20:06 ..
> -rw-r--r--.   1 snort snort    3854 Mar 17 15:00 classification.config
> -rw-r--r--.   1 snort snort    1880 Apr 14 02:53 disablesid.conf
> -rw-r--r--.   1 snort snort    2092 Apr 14 02:53 dropsid.conf
> -rw-r--r--.   1 snort snort    2078 Apr 14 02:53 enablesid.conf
> -rw-r--r--.   1 snort snort   31162 Oct 24 17:00 gen-msg.map
> -rw-r--r--.   1 snort snort    1510 Apr 14 02:53 modifysid.conf
> drwxr-xr-x.   2 snort snort    4096 Mar 17 14:59 preproc_rules
> -rw-r--r--.   1 snort snort   10312 Apr 14 02:53 pulledpork.conf
> -rw-r--r--.   1 snort snort     746 Mar 17 15:00 reference.config
> drwxr-xr-x.   2 snort snort    4096 Apr 22 18:09 rules
> -rw-r--r--.   1 snort snort 4140731 Mar 17 15:03 sid-msg.map
> -rw-r--r--.   1 snort snort   27701 Apr 22 18:09 snort.conf
> drwxr-xr-x.   4 snort snort    4096 Feb 26 12:31 so_rules
> -rw-r--r--.   1 snort snort    2556 Mar 17 15:00 threshold.conf
> -rw-r--r--.   1 snort snort   53841 Mar 17 15:00 unicode.map
> [root at ...16813... ~]#
> [r
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 95, Issue 120
********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140508/a888dfa8/attachment.html>


More information about the Snort-users mailing list