[Snort-users] Startup error post-package install

Research research at ...17107...
Thu Feb 26 12:58:20 EST 2015


On Feb 26, 2015, at 12:45 PM, James Lay <jlay at ...13475...> wrote:

> On Thu, 2015-02-26 at 12:11 -0500, Research wrote:
>> 
>> Hello,
>> 
>> I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c) 2015).  I am currently just focussing on getting Snort up and running and plan to read the full Snort documentation set next.
>> 
>> Installing on Ubuntu 12.0.4.5 LTS via the following:
>> 
>> 	sudo apt-get install snort
>> 
>> …installs Snort.  Verision is:
>> 
>> 	snort -V
>> 
>> …returning "Version 2.9.2 IPv6 GRE (Build 78)”.
>> 
>> I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:
>> 
>> 	var RULE_PATH /etc/snort/rules
>> 
>> I then attempted to start Snort in non-daemon mode with:
>> 
>> 	sudo snort start -c /etc/snort/snort.conf
>> 
>> …however I receive the following and then termination:
>> 
>> 	(lines omitted)
>> 	+++++++++++++++++++++++++++++++++++++++++++++++++++
>> 	Initializing rule chains...
>> 	WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
>> 	ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
>> 	Fatal Error, Quitting..
>> 
>> At this point, however, I have not edited any of the default rules or snort.conf configuration file.
>> 
>> If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log file.
>> 
>> What is going wrong on the non-daemon start that is causing it to terminate ?
>> 
>> Thanks
> I suggest you reference:
> 
> https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
> 
> Installing and upgrading from source matches well with the speed at which snort is updated (current version is 2.9.7....2.9.2 is ANCIENT).  I do not know of any repos that keep a current version of snort.
> 
> James

Hi James,

Thank you for the document outlining installing from source.  I will proceed to try that out in a test VM and then replicate the process on my web server.

Out of curiosity - have later versions of Snort (such as 2.9.7 as you mention), rectified the problem I ran into or is it likely the same thing will happen.  I ask because I appreciate knowing about the latest version and will install it, but wonder if it will address the issue of snort terminating when I run it in non-daemon mode ?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150226/f27f7d74/attachment.html>


More information about the Snort-users mailing list