[Snort-users] Startup error post-package install
research at ...17107...
Thu Feb 26 12:58:20 EST 2015
On Feb 26, 2015, at 12:45 PM, James Lay <jlay at ...13475...> wrote:
> On Thu, 2015-02-26 at 12:11 -0500, Research wrote:
>> I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c) 2015). I am currently just focussing on getting Snort up and running and plan to read the full Snort documentation set next.
>> Installing on Ubuntu 22.214.171.124 LTS via the following:
>> sudo apt-get install snort
>> …installs Snort. Verision is:
>> snort -V
>> …returning "Version 2.9.2 IPv6 GRE (Build 78)”.
>> I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:
>> var RULE_PATH /etc/snort/rules
>> I then attempted to start Snort in non-daemon mode with:
>> sudo snort start -c /etc/snort/snort.conf
>> …however I receive the following and then termination:
>> (lines omitted)
>> Initializing rule chains...
>> WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
>> ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
>> Fatal Error, Quitting..
>> At this point, however, I have not edited any of the default rules or snort.conf configuration file.
>> If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log file.
>> What is going wrong on the non-daemon start that is causing it to terminate ?
> I suggest you reference:
> Installing and upgrading from source matches well with the speed at which snort is updated (current version is 2.9.7....2.9.2 is ANCIENT). I do not know of any repos that keep a current version of snort.
Thank you for the document outlining installing from source. I will proceed to try that out in a test VM and then replicate the process on my web server.
Out of curiosity - have later versions of Snort (such as 2.9.7 as you mention), rectified the problem I ran into or is it likely the same thing will happen. I ask because I appreciate knowing about the latest version and will install it, but wonder if it will address the issue of snort terminating when I run it in non-daemon mode ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users