[Snort-users] Startup error post-package install

James Lay jlay at ...13475...
Thu Feb 26 16:27:07 EST 2015


On Thu, 2015-02-26 at 16:14 -0500, Research wrote:

> On Feb 26, 2015, at 2:34 PM, Y M <snort at ...15979...> wrote:
> 
> 
> 
> > > ERROR: /etc/snort/rules/community-virus.rules(19) !any is not
> > allowed: !$DNS_SERVERS.
> > > Fatal Error, Quitting..
> > 
> > 
> > This error is due to the fact that $DNS_SERVERS variable is defined
> > as any, however, you have a rule in "community-virus.rules" that
> > looks for IP addresses that are "not" in $DNS_SERVERS by using the
> > deny operator "!"; i.e.: the rules is negating any, which is not an
> > IP address. This is not a Snort error per se, you need to define the
> > IP addresses that should go into $DNS_SERVERS, $HOME_NET, etc so
> > that when the negation takes place, it negates IP addresses and not
> > the keyword any.
> > 
> > > 
> > > At this point, however, I have not edited any of the default rules
> > or snort.conf configuration file.
> > > 
> > > If I then run Snort in daemon mode, there is success - Snort does
> > not terminate - and I see alerts in the snort.log file.
> > > 
> > > What is going wrong on the non-daemon start that is causing it to
> > terminate ?
> > > 
> > > Thanks
> 
> 
> 
> Hi,
> 
> 
> I was able to follow the excellent documentation you mentioned, James,
> at: 
> 
> 
> https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
> 
> 
> …and successfully compiled the most up-to-date version.  Running:
> 
> 
> snort -V
> 
> 
> …results in:
> 
> 
> Version 2.9.7.0 GRE (Build 149)
> 
> 
> I continued to follow the instructions and filed in some of the
> variables, which Y M noted was likely causing problems in the default
> rules that were bundled in the Ubuntu package for the older version.
>  Running a test run on the correctness of the new config files yielded
> no errors.
> 
> 
> I then ran Snort with outputting to console and then created the test
> rule in the documentation that fires on ICMP traffic:
> 
> 
> alert icmp any any -> 1.2.3.4 any (msg:"ICMP test"; sid:10000001;
> rev:001;)
> 
> 
> …where 1.2.3.4 is the stand-in for my web servers public IP address.
>  Running ping against the server yielded the following on the console:
> 
> 
> 02/26-15:59:42.543423  [**] [1:10000001:1] ICMP test [**] [Priority:
> 0] {ICMP} 5.6.7.8 -> 1.2.3.4
> 
> 
> …which verified for me that operation was successful.
> 
> 
> One last question remains - my firewall is set to block all ICMP
> traffic and this shows up when running a ping on another machine
> against the firewall - the responses are dropped and ping breaks.
>  However, on the server that the firewall is on, Snort is able to see
> the ICMP traffic and fire the rule.
> 
> 
> Does this mean that Snort is looking at traffic *BEFORE* iptables
> blocks/allows it ?
> 
> 
> Thanks
> 
> ------------------------------------------------------------------------------


Indeed it is.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150226/78a22f8e/attachment.html>


More information about the Snort-users mailing list