Snort unable to open rules file windows

First time Snort user and running into two issues. After installation on a Windows 10 machine, I am able to initialize snort via an elevated command prompt: snort -A console. While snort it running

First time Snort user and running into two issues. After installation on a Windows 10 machine, I am able to initialize snort via an elevated command prompt: snort -A console. While snort it running however I noticed «Warning: No Preprocessors configured for policy 0.» mixed into the console output.

A quick Stackoverflow search pointed me to run the following command to solve this, they said: This message indicates that no snort preprocessor is loaded. In order to get rid of this warning, please use the command: snort -v -c /etc/snort/snort.conf

But when I run this command I am greeted with another error:

Running in IDS mode
—== Initializing Snort ==—
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file «/etc/snort/snort.conf»
ERROR: /etc/snort/snort.conf(0) Unable to open rules file «/etc/snort/snort.conf»: No such file or directory.
Fatal Error, Quitting..

This is where I get lost since that’s where I have the config file (initally it was just /etc/snort.conf, but created a snort folder so the directory / file exists).

If anyone has any insight into this I would be more than grateful!

This is my first with snort. And I can’t get it to run.
I followed this tutorial exactly. And I have fedora 21.

Here’s the output from snort -c /etc/snort/snort.conf -v -i enp0s3:

Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory.

Fatal Error, Quitting..

The problem is at the end of the log. It doesn’t seem like serious, but I can’t figure it out.
Here’s the section I edited in snort.conf:

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

The rule I think is causing the problem:

include $RULE_PATH/app-detect.rules

Я пытаюсь настроить и запустить Snort IDS на Mac с помощью своего рода учебника:https://discussions.apple.com/thread/3370709?start=0&tstart=0

OSX Yosemite (10.10.2); PostgreSQL 9.4.1 (установлен с Homebrew) Snort: стабильный 2.9.7.0 (установлен с Homebrew)

Когда я наконец пытаюсь сыграть это так:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf

Получение этого:

Password:

Running in IDS mode

  --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...
ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory.

Fatal Error, Quitting..

Правило действительно на месте в /etc/snort/rules/local.rules

RULE_PATH устанавливается в /etc/snort/snort.conf в /etc/snort/rules

Так:

$ echo $RULE_PATH
/etc/snort/rules

пробую это:

$ grep RULE_PATH /etc/snort/snort.conf

var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
...

Хорошо после смены

var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules

в

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

Получение:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...
ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database"
Fatal Error, Quitting..

Строка 741 в /etc/snort/snort.conf :

output database: log, postgresql, user=snort password=password dbname=snort host=localhost

Так как прямой вывод базы данных snort 2.9.3.0 больше не поддерживается. Я должен использовать унифицированный вывод snort. Я мог бы использовать Barnyard2 вместо того, чтобы перенаправить на postgresql.

Содержание

  1. Arch Linux
  2. #1 2017-04-16 08:36:17
  3. SNORT configuration issue — white_list.rules Error
  4. #2 2017-04-16 08:46:23
  5. Re: SNORT configuration issue — white_list.rules Error
  6. #3 2017-04-17 09:09:21
  7. Re: SNORT configuration issue — white_list.rules Error
  8. Thread: Snort Error
  9. Snort Error
  10. Re: Snort Error
  11. Re: Snort Error
  12. Re: Snort Error
  13. Re: Snort Error
  14. Re: Snort Error
  15. Installing PulledPork on Raspbian: /etc/snort/rules/snort.rules not created #315
  16. Comments
  17. Footer
  18. How to install Snort on Debian
  19. Preparing your server
  20. Installing from the source
  21. Configuring Snort to run in NIDS mode
  22. Setting up username and folder structure
  23. Option 1. Using community rules
  24. Option 2. Obtaining registered user rules
  25. Configuring the network and rule sets
  26. Validating settings
  27. Testing the configuration
  28. Running Snort in the background
  29. Conclusions

Arch Linux

You are not logged in.

#1 2017-04-16 08:36:17

SNORT configuration issue — white_list.rules Error

for better protection I decided to configure SNORT on my PC, which I use as server.
In the begining I had some issue, but solved the with help of this post https://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10.
I downloaded the rules from www.snort.org and stored them in/etc/snort/rules

The only remaining issue is with this:
after I start «snort -c /etc/snort/snort.conf» I get this error

I have checked the folder and rules I downloaded and indeed this one is missing (white_list.rules).
is the any template which I can use?

Can somebody help me to solve this?

#2 2017-04-16 08:46:23

Re: SNORT configuration issue — white_list.rules Error

Did you try commenting that line in your conf?

Why are you using an ancient Ububtu tutorial; there is a wiki page: https://wiki.archlinux.org/index.php/Sn … figuration

Registered Linux User #482438

#3 2017-04-17 09:09:21

Re: SNORT configuration issue — white_list.rules Error

thats how I now tried to solve the issue.

First place is definition of the path:

When I commented this line I got error:

therefore I found second place in config file:

Second place look like this:

so I changed it to

As you see there name for the file with black list rules looks now different than before. This is becuase I nopticed that’s the name I see in that directory is different than proposed in config file.

The next issue I faced was:

This error is gone when I disabled black list as well, but I think this is not good approach.
So how I can solve such error like «Invalid address: ‘alert udp $HOME_NET any » ?

My variables in config file look like this:

And last question is about usage of rules.
On SNORT home page I see cummunity rules plus another package (available after registration) which contains a lot of rules.
Actually I downloaded both, but I think there is redundancy:

When I have this line in config (plus other rules)

Источник

Thread: Snort Error

Thread Tools
Display

Snort Error

I have installed Snort but when I run the command
snort -A full -c /etc/snort/snort.conf
I get the following error,
Running in IDS mode

—== Initializing Snort ==—
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

++++++++++++++++++++++++++++++++++++++++++++++++++ +
Initializing rule chains.
ERROR: Unable to open rules file: /etc/snort/snort.conf or /etc/snort/snort.conf
Fatal Error, Quitting..
What is going wrong ?

Re: Snort Error

Are you sure it installed properly? Tried re-installing?

Re: Snort Error

Reinstalled the four packages from Synaptic but the error persists.

Re: Snort Error

And do both of these files exist? What user level are you trying to start snort as? What are the permissions on the 2 files listed above? Have you tried sudo?

Re: Snort Error

Both the paths refer to the same file. And that file exists.
I tried sudo and it seems to be working that way. After a long length of reporting it displayed :

—== Initialization Complete ==—

,,_ -*> Snort!
Preprocessor Object: SF_FTPTELNET Version 1.0
Preprocessor Object: SF_SSH Version 1.0
Preprocessor Object: SF_DCERPC Version 1.0
Preprocessor Object: SF_DNS Version 1.0
Preprocessor Object: SF_SMTP Version 1.0
Not Using PCAP_FRAMES

Do you think its working fine ? If so how can I make it start automatically after every boot ?

Re: Snort Error

Have you updated the snort rules? I got a few errors like this because I didn’t update the rules properly using Oinkmaster.

First try uninstall agin with these commands:
sudo apt-get —purge remove snort (or snort-mysql)
sudo apt-get —purge autoremove

the delete all the remaining files with:
sudo rm -fr /etc/snort

Then try to install agian.

I have covered SNORT in my howto series on Ubuntu security on my blog (see signature). Snort is covered in part IV I believe.

Источник

Installing PulledPork on Raspbian: /etc/snort/rules/snort.rules not created #315

  1. Running snort-2.9.11.1 under Raspbian on a RP-1B+ fine. Configuration and rules checked okay (sudo snort -T -c /etc/snort/snort.conf -i eth0).
  2. Installed pulledpork-0.7.3 successfully (/usr/local/bin/pulledpork.pl -V).
  3. Edited /etc/snort/pulledpork.conf as described on https://sublimerobots.com/2017/01/snort-2-9-9-x-ubuntu-installing-pulledpork/
  4. Executed pulledpork (sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l), but this time I got an error:
    Use of uninitialized value $arch in regexp compilation at /usr/local/bin/pulledpork.pl line 348
    Out of memory!
  5. When executing the command again, all goes fine without an error msg, but /etc/snort/rules/snort.rules is NOT created.
  6. Now we finally execute snort (sudo snort -T -c /etc/snort/snort.conf -i eth0)
    ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file «/etc/snort//etc/snort/rules/snort.rules»: No such file or directory.
    Fatal Error, Quitting..

Any help please why /etc/snort/rules/snort.rules is not created .

The text was updated successfully, but these errors were encountered:

This was brought up in #141 and this is normally set by the user. In the case of arm, there are no precompiled shared object rules. I will close out #141 and add in something to automatically handle this when the architecture is NOT i386 or x86-64

This was brought up in #141 and this is normally set by the user. In the case of arm, there are no precompiled shared object rules. I will close out #141 and add in something to automatically handle this when the architecture is NOT i386 or x86-64

@shirkdog — please do you know if there are any plans for precompiled shared object rules to be provided for arm?

PulledPork would not be the authoritative answer for this, @vrtadmin would be. (and since that’s me).. no, we have no plans for creating Precomp for arm.

PulledPork would not be the authoritative answer for this, @vrtadmin would be. (and since that’s me).. no, we have no plans for creating Precomp for arm.

Thanks for the speedy response, even though it’s a no to arm. I was planning to try Talos next, but you’ve saved me that job.

© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник

How to install Snort on Debian

Snort is a popular choice for running a network intrusion detection systems or NIDS for short. It monitors the package data sent and received through a specific network interface. NIDS can catch threats targeting your system vulnerabilities using signature-based detection and protocol analysis technologies. NIDS software, when installed and configured appropriately, can identify the latest attacks, malware infections, compromised systems, and network policy violations. In this guide, you will find instructions on how to install Snort on Debian 9. The install guide is also available for cloud servers running CentOS 7 and Ubuntu 16.

Snort is one of the most commonly used network-based IDS. It is a lightweight, open source, available on a multitude of platforms, and can be comfortably installed even on the smallest of cloud server instances. Although Snort is capable of much more than just network monitoring, this guide shows how to configure and run Snort in NIDS mode with a basic setup that you can later expand as needed.

Preparing your server

Setting up a basic configuration of Snort on Debian is fairly simple but takes a few steps to complete. You will first need to install all the prerequisite software to ready your cloud server for installing Snort itself. Install the required libraries with the following command.

With the prerequisites fulfilled, next up is how to install Snort on Debian 9. Snort can be downloaded and installed manually from the source. Below you will find instructions on how to get this done.

Installing from the source

Setting up Snort on Debian from the source code consists of a couple of steps: downloading the code, configuring it, compiling the code, installing it to an appropriate directory, and lastly configuring the detection rules.

Start by making a temporary download folder to your home directory and then changing into it with the command below.

Snort itself uses something called Data Acquisition library (DAQ) to make abstract calls to packet capture libraries. Download the latest DAQ source package from the Snort website with the wget command underneath. Replace the version number in the command if a newer source available.

The download will only take a few seconds. When complete, extract the source code and jump into the new directory with the following commands.

The latest version requires an additional step to auto reconfigure DAQ before running the config. Use the command below which requires you need to have autoconf and libtool installed.

Afterwards, run the configuration script using its default values, then compile the program with make and finally install DAQ.

With the DAQ installed you can get started with Snort, change back to the download folder.

Next, download the Snort source code with wget. You can find the latest version number on the Snort downloads page. Replace it in the following command if necessary.

Once the download is complete, extract the source and change into the new directory with these commands.

Then configure the installation with sourcefire enabled, run make and make install.

With that done, continue below on how to set up the configuration files.

Configuring Snort to run in NIDS mode

Next, you will need to configure Snort for your system. This includes editing some configuration files, downloading the rules that Snort will follow, and taking Snort for a test run.

Start with updating the shared libraries using the command underneath.

Snort on Debian gets installed to /usr/local/bin/snort directory, it is good practice to create a symbolic link to /usr/sbin/snort.

Setting up username and folder structure

To run Snort on Debian safely without root access, you should create a new unprivileged user and a new user group for the daemon to run under.

Then create the folder structure to house the Snort configuration, just copy over the commands below.

Set the permissions for the new directories accordingly.

Create new files for the white and blacklists as well as the local rules.

Then copy the configuration files from the download folder.

Next up, you will need to download the detection rules Snort will follow to identify potential threats. Snort provides three tiers of rule sets, community, registered and subscriber rules.

  • Community rules are freely available although slightly limited.
  • By registering for free on their website you get access to your Oink code, which lets you download the registered users rule sets.
  • Lastly, subscriber rules are just that, available to users with an active subscription to Snort services.

Underneath you can find instructions for downloading both community rules or registered user rule sets.

If you just want to quickly test out Snort, grab the community rules using wget with the command below.

Extract the rules and copy them to your configuration folder.

By default, Snort on Debian expects to find a number of different rule files which are not included in the community rules. You can easily comment out the unnecessary lines using the sed command underneath.

Option 2. Obtaining registered user rules

You can also take a moment and register on the Snort website. Registering gives you access to use their Oink code to download the registered user rules. You can find the code in the Snort user account details.

Replace the oinkcode in the following command with your personal code.

Once downloaded, extract the rules over to your configuration directory.

The rule sets for the registered users include an extensive amount of useful preconfigured detection rules. If you tried out Snort with the community rules first, you can enable additional rules by uncommenting their inclusions towards the end of the snort.conf file.

Configuring the network and rule sets

With the configuration and rule files in place, edit the snort.conf to modify a few parameters. Open the configuration file in your favourite text editor, for example using nano with the command below.

Find these sections shown below in the configuration file and change the parameters to reflect the examples here.

In the same snort.conf file, scroll down to the section 6 and set the output for unified2 to log under filename of snort.log like below.

Lastly, scroll down towards the bottom of the file to find the list of included rule sets. You will need to uncomment the local.rules to allow Snort to load any custom rules.

If you are using the community rules, add the line underneath to your ruleset as well, for example just below your local.rules line.

Once you are done with the configuration file, save the changes and exit the editor.

Validating settings

Your Snort should now be ready to run. Test the configuration using the parameter -T to enable test mode.

After running the Snort configuration test, you should get a message like this example below.

In case you get an error, the print out should tell you what the problem was and where to fix it. Most likely problems are missing files or folders, which you can usually resolve by either adding any you might have missed in the setup above, or by commenting out unnecessary inclusion lines in the snort.conf file. Check the configuration part and try again.

Testing the configuration

To test if Snort is logging alerts as intended, add a custom detection rule alert on incoming ICMP connections to the local.rules file. Open your local rules in a text editor.

Then add the following line to the file.

The rule consists of the following parts:

  • action for traffic matching the rule, alert in this case
  • traffic protocol like TCP, UDP or ICMP like here
  • the source address and port, simply marked as any to include all addresses and ports
  • the destination address and port, $HOME_NET as declared in the configuration and any for port
  • some additional bits
    • log message
    • unique rule identifier (sid) which for local rules needs to be 1000001 or higher
    • rule version number.

Save the local.rules and exit the editor.

Start Snort with -A console options to print the alerts to stdout. You will need to select the correct network interface with the public IP address of your server, for example, eth0.

If you are not sure which interface to use, check your UpCloud control panel for the public IPv4 address of your server in the Network settings. You can also use the following command on your server.

The output will list all of your currently configured network interfaces. Find the one with the same public IP address as shown in the Network settings, commonly eth0.

With Snort up and running, ping your cloud server from any other computer. You should see a notice for each ICMP call in the terminal running Snort.

After the alerts show up you can stop Snort with ctrl+C.

Snort records the alerts to a log under /var/log/snort/snort.log. timestamp , where the timestamp is the point in time when Snort was started marked in Unix time. You can read the logs with the command underneath. Since you have only run Snort once, there is only one log, complete your command by pressing TAB.

The log shows a warning for each ICMP call with source and destination IPs, time and date, plus some additional info as shown in the example below.

Running Snort in the background

To run Snort on Debian as a service in the background you will need to add a startup script for Snort. Open a new a file in a text editor for example with the next command.

Enter the following to the file, save and exit the editor.

With the service defined, reload the systemctl daemon.

Snort can then be run with the configuration you set up using the command below.

The startup script also includes other usual systemctl commands: stop, restart, and status. For example, you can check the status of the service with the following command.

Conclusions

Congratulations, you should have now successfully configured and tested a network-based intrusion detection system. This guide however only covers the very basics with an introduction to Snort and NIDS in general. To get more out of your installation, check out the deployment guides over at the Snort documents page, or jump right into writing your own detection rules with their helpful Snort rules info graph.

Источник

I’m trying to setup and run Snort IDS on mac using this kinda tutorial:
https://discussions.apple.com/thread/3370709?start=0&tstart=0

OSX Yosemite (10.10.2);
PostgreSQL 9.4.1 (installed with Homebrew)
Snort: stable 2.9.7.0 (installed with Homebrew)

When I finally try to star it like this:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf

Getting this:

Password:

Running in IDS mode

  --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...
ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory.

Fatal Error, Quitting..

The rule is actually on place at /etc/snort/rules/local.rules

RULE_PATH is set in /etc/snort/snort.conf to /etc/snort/rules

So:

$ echo $RULE_PATH
/etc/snort/rules

trying this:

$ grep RULE_PATH /etc/snort/snort.conf

var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
...

Well after changing

var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules

to

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

Getting:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
...
ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database"
Fatal Error, Quitting..

Line 741 in /etc/snort/snort.conf is:

output database: log, postgresql, user=snort password=password dbname=snort host=localhost

So since snort 2.9.3.0 direct database output isn’t supported anymore. I should use snort’s unified output. I could use Barnyard2 instead to redirect to postgresql.

Я пытаюсь настроить и запустить Snort IDS на Mac с помощью своего рода учебника: https://discussions.apple.com/thread/3370709?start=0&tstart=0

OSX Yosemite (10.10.2); PostgreSQL 9.4.1 (установлен с Homebrew) Snort: стабильный 2.9.7.0 (установлен с Homebrew)

Когда я наконец пытаюсь сыграть это так:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf 

Получение этого:

Password:  Running in IDS mode  --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory.  Fatal Error, Quitting.. 

Правило фактически на месте в /etc/snort/rules/local.rules

RULE_PATHустанавливается в /etc/snort/snort.confк/etc/snort/rules

Так:

$ echo $RULE_PATH /etc/snort/rules 

пробую это:

$ grep RULE_PATH /etc/snort/snort.conf  var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules ... 

Хорошо после смены

var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules 

в

var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules 

Получение:

$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf Running in IDS mode  --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database" Fatal Error, Quitting.. 

Строка 741 в /etc/snort/snort.confэто:

output database: log, postgresql, user=snort password=password dbname=snort host=localhost

Так как прямой вывод базы данных snort 2.9.3.0 больше не поддерживается. Я должен использовать унифицированный вывод snort. Я мог бы использовать Barnyard2 вместо того, чтобы перенаправить на postgresql.


2 ответа на вопрос

agtoever

2015-03-07 в 10:37

Note: this answer is composed from a dialog in the comments of the original question.


The problem with the rule directory
From the error it’s clear that somewhere (probably in snort.conf) there is a .., pointing to the wrong path. Based on the error, I’d say that var RULE_PATH ../rules is in the config file. You should change that either to var RULE_PATH ./rules or use an absolute path: var RULE_PATH /etc/snort/rules. You should do this for SO_RULE_PATH and PREPROC_RULE_PATH too. So your config now has:

var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules 

The problem with outputting data to a database
Since snort 2.9.3.0, direct database output isn’t supported anymore. You should use snort’s unified output (like this» output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types). You could use Barnyard2 instead to redirect to postgresql. Explaining how to set this up would go (in my opinion) too far for this answer. A basic start can be found here. A far more elaborate explanation (and specific targeted for OSX) can be found here.

matias figueroa

2017-07-19 в 15:36

ОШИБКА: /etc/snort/../rules/local.rules(0) Невозможно открыть файл правил «/etc/snort/../rules/local.rules»: такого файла или каталога нет.

Фатальная ошибка, выход ..

Я смог решить эту ошибку, комментируя следующие строки:

#var RULE_PATH ../rules #var SO_RULE_PATH ../so_rules #var PREPROC_RULE_PATH ../preproc_rules   #var WHITE_LIST_PATH ../rules #var BLACK_LIST_PATH ../rules 

Эти строки относятся к пользователю Windows!

Похожие вопросы

  • 9
    В чем разница между командами «su -s» и «sudo -s»?


  • 4
    Требуется хороший бесплатный образ Ubuntu Server VMWare


  • 3
    Ускорение загрузки OS X на годичной MBP



  • 4
    Каковы различия между основными дистрибутивами Linux? Я замечу?


  • 2
    Ограничить использование процессора для Flash в Firefox?


  • 2
    Как мне заставить мой микрофон работать под Debian GNOME?


  • 2
    Конки установки — образцы / идеи?


  • 3
    Как повторно связать резервную копию Airport Time Machine после перехода на новый Mac?


  • 6
    Как вы отключите звук запуска на Mac?


  • 5
    Почему мой Macbook сильно нагревается при использовании Boot Camp?


I have been Running Pfsense 2.0 with Snort 2.9.0.5 for a while now with no issues
After Weeks of Not Upgrading to the latest version (2.9.1) i decided to Upgrade today but after Upgrading to Snort 2.9.1 Snort will not Start  :-[
I have updated the snort rules and try restarting the service but that dont work, each time the rules are loaded and the service tries to start i get this error :

Dec 22 09:10:27 pfsfw snort[34705]:    Search-Method = AC-Std
Dec 22 09:10:27 pfsfw snort[34705]:    Search-Method = AC-Std
Dec 22 09:10:27 pfsfw snort[34705]: FATAL ERROR: Unable to open rules file «/usr/local/etc/snort/snort_9558_em0//usr/local/etc/snort/snort_9558_em0/reference
.config»: No such file or directory.
Dec 22 09:10:27 pfsfw snort[34705]: FATAL ERROR: Unable to open rules file «/usr/local/etc/snort/snort_9558_em0//usr/local/etc/snort/snort_9558_em0/reference
.config»: No such file or directory.
Dec 22 09:10:27 pfsfw SnortStartup[34998]: Interface Rule START for 0_9558_em0…
I Also Saw this at the end of the screen after the firewall was rebooted:

cp: /usr/local/etc/snort/gen-msg.map: No such file or directory
cp: /usr/local/etc/snort/classification.config: No such file or directory
cp: /usr/local/etc/snort/reference.config: No such file or directory
cp: /usr/local/etc/snort/unicode.map: No such file or directory
cp: /usr/local/etc/snort/threshold.conf: No such file or directory
done
Bootup complete

I know the new version (2.9.1) has been out for a while now hence someone must have experienced this problem an probably can help me fix for this issue

Any Help Appreciated,
Thanks Much

thats how I now tried to solve the issue.

First place is definition of the path:

var WHITE_LIST_PATH rules

When I commented this line I got error:

ERROR: /etc/snort/snort.conf(515) Undefined variable name: WHITE_LIST_PATH.

therefore I found second place in config file:

Second place look like this:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: 
   memcap 500, 
   priority whitelist, 
   nested_ip inner, 
   whitelist $WHITE_LIST_PATH/white_list.rules, 
   blacklist $BLACK_LIST_PATH/black_list.rules 

so I changed it to

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: 
   memcap 500, 
   priority whitelist, 
   nested_ip inner, 
   #whitelist $WHITE_LIST_PATH/white_list.rules, 
   blacklist $BLACK_LIST_PATH/blacklist.rules 

As you see there name for the file with black list rules looks now different than before. This is becuase I nopticed that’s the name I see in that directory is different than proposed in config file.

The next issue I faced was:

Processing blacklist file /etc/snort/rules/blacklist.rules
  (22) => Invalid address: 'alert udp $HOME_NET any 

This error is gone when I disabled black list as well, but I think this is not good approach.
So how I can solve such error like «Invalid address: ‘alert udp $HOME_NET any » ?

My variables in config file look like this:

# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

And last question is about usage of rules.
On SNORT home page I see cummunity rules plus another package (available after registration) which contains a lot of rules.
Actually I downloaded both, but I think there is redundancy:

When I have this line in config (plus other rules)

 include $RULE_PATH/community.rules 

I get warnings like this:

WARNING: /etc/snort/rules/malware-cnc.rules(1764) GID 1 SID 28541 in rule duplicates previous rule. Ignoring old rule.

So the question is simple: does any more experience person know why we need community.rules and what is a usage comapred to the other rules?

@rapidblow

I have built two different systems a debian 7 and an ubuntu 12.04 and I get the EXACT same error at both places in finishing this, maybe I missed something — twice ?

Bob@packetpig:~/Documents/packetpig$ sudo snort -c lib/snort-2931/etc/snort.conf -A fast -y -l out -r data/web.pcap
Running in IDS mode

    --== Initializing Snort ==--

Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file «lib/snort-2931/etc/snort.conf»
ERROR: lib/snort-2931/etc/snort.conf(0) Unable to open rules file «lib/snort-2931/etc/snort.conf»: No such file or directory.

Fatal Error, Quitting..

@cloudjunky

Hi.

We removed the Snort signatures about a week ago as we had some VRT signatures in there that aren’t meant to be distributed. You can go to http://www.snort.org/snort-rules/? and download the snortrules-snapshot-2931.tar.gz and untar/gz it in the lib directory.

I will add this to the Install.md. Sorry for the confusion.

@rapidblow

I downloaded the latest rule set and placed it under ~documents, and still
get the same error message. Do you have the old GIT version that includes
the rules I can try ?

On Sun, May 12, 2013 at 5:42 PM, Michael Baker notifications@github.comwrote:

Hi.

We removed the Snort signatures about a week ago as we had some VRT
signatures in there that aren’t meant to be distributed. You can go to
http://www.snort.org/snort-rules/? and download the
snortrules-snapshot-2931.tar.gz and untar/gz it in the lib directory.

I will add this to the Install.md. Sorry for the confusion.


Reply to this email directly or view it on GitHubhttps://github.com//issues/9#issuecomment-17786752
.

@cloudjunky

Check Install.md and how to install Snort and then link it to Packetpig’s lib/snort directory. Make sure the pig files you run have lib/snort/snort.conf as the snort config file. I am upgrading all the documentation as I type but hopefully this gets you going.

snort logo

Snort
mailing list archives


From: «Alex Alborzfard» <aalborz06 () gmail com>

Date: Wed, 2 Jul 2008 12:11:16 -0400


Ok I tried to point to the path in snort.conf, but it didn't work. The
directory path holding the dynamic engine library file is:
D:Snortlibsnort_dynamicengine and the only library file name there is:
sf_engine.dll.
So I specified the paths to dynamicengine and dynamic preprocessor on the
command line and it worked.
But now I get a different error:

ERROR: OpenAlertFile() => fopen() alert file log/alert.ids: No such file or
directory


I can't find this file anywhere under Snort installation directory or any
reference to it in Snort.conf. Do I have to create this file? Otherwise
where or how do I have to specify the path to this file?

TIA

Alex

On Tue, Jun 17, 2008 at 1:45 PM, Todd Wease <twease () sourcefire com> wrote:

Alex,

You need to configure the path to that in snort.conf (look for "Step #2:
Configure dynamic loaded libraries" in snort.conf) or alternatively specify
the path on the command line (run Snort with the '-h' option or take a look
at doc/README).

Todd


Alex Alborzfard wrote:

No I didn't. I specified the path and this time I didn't get the error,
but
got this one:

 Failed to load /usr/local/lib/snort_dynamicengine/libsf_engine.so: 126

On Tue, Jun 17, 2008 at 1:11 PM, Todd Wease <twease () sourcefire com>
wrote:

 Alex,
Did you specify the path to snort.conf on the command line via the '-c'
switch?

Todd

Alex Alborzfard wrote:

 I've installed latest Snort (2.8) on a Win2K pro box with winpcap.
When I run snort I get the following error:

ERROR: Unable to open rules file: snort.conf or ./snort.conf

I modified snort.conf to point to the correct directory path, but I
still
get the error.

Any help would be greatly appreciated.



------------------------------------------------------------------------


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

  • Re: Newbie Problem Alex Alborzfard (Jul 02)

Like this post? Please share to your friends:
  • Snmp проверить с командной строки windows
  • Snmp windows 10 нет в компонентах
  • Snmp service is not available on windows
  • Snippingtool exe для windows 7 скачать с официального сайта
  • Sniper path of vengeance скачать торрент для windows 10