Topic: Problem with Snort

[dave]

I believe that snort is not running on my SME 5.6 system

If I run /etc/rc.d/init.d/snortd restart
I get
Stopping snort:                                            [ FAILED ]
Starting snort:                                            [   OK   ]

I thought that if I ran
ps -ef | grep snort
that I would get a responce more than the process of my querry.

I have un-istalled together with Acid and Guardian and then re-installed a number of time with no change in the outcome.

Can anyone offer some guidance of what I should try next.

Thanks in advance

Dave

[MasterSleepy]

Hi,

Do you have an dinamyc IP adress??
I have the same problem on reupping outinterface I have to add snort restart.

regards,

[dave]

No, I have a static IP.

Guardian appears to be working fine if I do a ps -ef |grep gua the process is shown as to be running.

Acid appears to be running, simply by looking at the web interface, although nothing is being logged, which I take it is because snort isn't running.

Dave

[RayG]

Look at your messages log and verify snort is starting properly. I suspect it's dying due to a "fatal error" in the config file.

[Anonymous]

I've looked in my boot.log and see the following

Feb 17 17:59:10 vicky snort-mysql: Initializing Output Plugins!
Feb 17 17:59:10 vicky snortd: snort-mysql startup succeeded

So I'm not sure. All I have to go on is that I am not getting anything showing up in ACID and ip blocking occurs.

[Anonymous]

I've looked in my boot.log and see the following

Feb 17 17:59:10 vicky snort-mysql: Initializing Output Plugins!
Feb 17 17:59:10 vicky snortd: snort-mysql startup succeeded

So I'm not sure. All I have to go on is that I am not getting anything showing up in ACID and ip blocking doesen't occur.

[dave]

Ah, well once I do what I'm asked and look in the right place

Feb 17 17:59:12 vicky snort-mysql: Portscan2 config:
Feb 17 17:59:13 vicky snort-mysql:     log: /var/log/snort/scan.log
Feb 17 17:59:13 vicky snort-mysql:     scanners_max: 3200
Feb 17 17:59:13 vicky snort-mysql:     targets_max: 5000
Feb 17 17:59:13 vicky snort-mysql:     target_limit: 5
Feb 17 17:59:13 vicky snort-mysql:     port_limit: 20
Feb 17 17:59:13 vicky snort-mysql:     timeout: 60
Feb 17 17:59:14 vicky snort-mysql: FATAL ERROR: ERROR: Unable to open rules file: .//bad-traffic.rules or /etc/snort/.//bad-traffic.rules

So what have I done to cause this ???

I don't understand the path /etc/snort/.//

Is that what the problem is ???

Dave

[Floyd]

Hi Dave
Got a chance to play around with snort today.  The problem is the path to the rules is wrong (as you have guessed) Go to the file /etc/snort/snort.conf and look for the part of the file that starts out with
# Path to you rules files (this can be a relative path)
var RULE_PATH ./
change it to
var RULE_PATH /etc/snort/rules
and that should do it. With mc that part of the file will be about 14% down.

HTH
Floyd

[Dave]

Thanks Floyd.

I have done as you suggested, rebotted and now await some blocking to occur with guardian and some update on acid.

I'll let you know how I go.

Thanks again.

Dave

[Dave]

Ah, Well just checked my messages log file and found

Feb 23 18:56:34 vicky snort-mysql: FATAL ERROR: ERROR: Unable to open rules file: ./etc/snort/rules/bad-traffic.rules or /etc/snort/./etc/snort/rules/bad-traffic.rules

Right So I have manually run the command

wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz

Which returned errors

So I investigated that and found the path on the snort site has changed. Now this could be because the versin is now out of date, I dont know, but the wget command now needs to be

wget http://www.snort.org/dl/rules/old/snortrules-stable.tar.gz

old has been inserted after thr rules directory.

I also changed the var RULE_PATH that Floyd mentioned to read /etc/snort instead of /etc/snort/rules

ACID doesn't seem to be reporting anything, but only time will tell.

Maybe I should now un-install and re-install everything  

Regards

Dave