[Snort-users] snort NIDS

Joel Esler (jesler) jesler at ...589...
Sat Feb 7 16:03:52 EST 2015


On Feb 6, 2015, at 7:29 PM, rezaa abedi <nndreza at ...131...<mailto:nndreza at ...131...>> wrote:

Hi all,

I installed snort in my ubuntu machine and I need to edit Snort’s main configuration file, /etc/snort/snort.conf. When I run Snort with
this file as an argument, it tells Snort to run in NIDS mode.
Before I run Snort in NIDS mode, I need to make a few edits to the default configuration file. I need to
comment out all of the individual rule files that are referenced in the Snort configuration file, since instead
of downloading each file individually, I will use PulledPork to manage our rulesets, which combines all the
rules into a single file. The following line supposed to comment out all rulesets in our snort.conf file but it does not work?

sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

any ideas please ? This is the error I get every time when I run  the above command:
$~/snort_src/snort-2.9.7.0$ sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf
sed: -e expression #1, char 1: unknown command: `�’

Looks like your error is listed above.  So let’s examine your command:

sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

The error being in the first “apostrophe”.  You don’t have a true apostrophe there.  What you are wanting to do is probably:

sudo sed -i 's/include\ \$RULE\_PATH/#include\ \$RULE\_PATH/' /etc/snort/snort.conf


That being said, the above will not turn off all rules in the snort.conf, that will just comment out the RULE_PATH, which will cause more errors.  You probably want to remove all the “include $RULE_PATH/<rulefile>.rules” lines in your snort.conf and replace them all with a single entry of snort.rules.



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150207/68544008/attachment.html>


More information about the Snort-users mailing list