[Snort-users] Startup error post-package install

James Lay jlay at ...13475...
Thu Feb 26 13:39:14 EST 2015


On Thu, 2015-02-26 at 12:58 -0500, Research wrote:

> On Feb 26, 2015, at 12:45 PM, James Lay <jlay at ...13475...>
> wrote:
> 
> 
> 
> > On Thu, 2015-02-26 at 12:11 -0500, Research wrote: 
> > 
> > > Hello,
> > > 
> > > I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c) 2015).  I am currently just focussing on getting Snort up and running and plan to read the full Snort documentation set next.
> > > 
> > > Installing on Ubuntu 12.0.4.5 LTS via the following:
> > > 
> > > 	sudo apt-get install snort
> > > 
> > > …installs Snort.  Verision is:
> > > 
> > > 	snort -V
> > > 
> > > …returning "Version 2.9.2 IPv6 GRE (Build 78)”.
> > > 
> > > I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:
> > > 
> > > 	var RULE_PATH /etc/snort/rules
> > > 
> > > I then attempted to start Snort in non-daemon mode with:
> > > 
> > > 	sudo snort start -c /etc/snort/snort.conf
> > > 
> > > …however I receive the following and then termination:
> > > 
> > > 	(lines omitted)
> > > 	+++++++++++++++++++++++++++++++++++++++++++++++++++
> > > 	Initializing rule chains...
> > > 	WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
> > > 	ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
> > > 	Fatal Error, Quitting..
> > > 
> > > At this point, however, I have not edited any of the default rules or snort.conf configuration file.
> > > 
> > > If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log file.
> > > 
> > > What is going wrong on the non-daemon start that is causing it to terminate ?
> > > 
> > > Thanks
> > 
> > I suggest you reference:
> > 
> > https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
> > 
> > Installing and upgrading from source matches well with the speed at
> > which snort is updated (current version is 2.9.7....2.9.2 is
> > ANCIENT).  I do not know of any repos that keep a current version of
> > snort.
> > 
> > James
> 
> 
> 
> Hi James,
> 
> 
> Thank you for the document outlining installing from source.  I will
> proceed to try that out in a test VM and then replicate the process on
> my web server.
> 
> 
> Out of curiosity - have later versions of Snort (such as 2.9.7 as you
> mention), rectified the problem I ran into or is it likely the same
> thing will happen.  I ask because I appreciate knowing about the
> latest version and will install it, but wonder if it will address the
> issue of snort terminating when I run it in non-daemon mode ?
> 
> 
> Thanks
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


To be brutally honest, I have no clue, but step 1 is to get up to date
to the same level that (I am guessing at least) everyone else is on.
After that we can start to troubleshoot.  Just by looking at the error I
would be interested to see what your var lines look like (now ipvar in
the latest version of snort) at the top of your snort.conf file.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150226/f9e7e60d/attachment.html>


More information about the Snort-users mailing list