[Snort-users] Startup error post-package install

Research research at ...17107...
Thu Feb 26 16:14:32 EST 2015

On Feb 26, 2015, at 2:34 PM, Y M <snort at ...15979...> wrote:

> > ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
> > Fatal Error, Quitting..
> This error is due to the fact that $DNS_SERVERS variable is defined as any, however, you have a rule in "community-virus.rules" that looks for IP addresses that are "not" in $DNS_SERVERS by using the deny operator "!"; i.e.: the rules is negating any, which is not an IP address. This is not a Snort error per se, you need to define the IP addresses that should go into $DNS_SERVERS, $HOME_NET, etc so that when the negation takes place, it negates IP addresses and not the keyword any.
> > 
> > At this point, however, I have not edited any of the default rules or snort.conf configuration file.
> > 
> > If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log file.
> > 
> > What is going wrong on the non-daemon start that is causing it to terminate ?
> > 
> > Thanks


I was able to follow the excellent documentation you mentioned, James, at: 


…and successfully compiled the most up-to-date version.  Running:

	snort -V

…results in:

	Version GRE (Build 149)

I continued to follow the instructions and filed in some of the variables, which Y M noted was likely causing problems in the default rules that were bundled in the Ubuntu package for the older version.  Running a test run on the correctness of the new config files yielded no errors.

I then ran Snort with outputting to console and then created the test rule in the documentation that fires on ICMP traffic:

	alert icmp any any -> any (msg:"ICMP test"; sid:10000001; rev:001;)

…where is the stand-in for my web servers public IP address.  Running ping against the server yielded the following on the console:

	02/26-15:59:42.543423  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} ->

…which verified for me that operation was successful.

One last question remains - my firewall is set to block all ICMP traffic and this shows up when running a ping on another machine against the firewall - the responses are dropped and ping breaks.  However, on the server that the firewall is on, Snort is able to see the ICMP traffic and fire the rule.

Does this mean that Snort is looking at traffic *BEFORE* iptables blocks/allows it ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150226/42c86418/attachment.html>

More information about the Snort-users mailing list