Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: dave on February 15, 2004, 10:42:19 PM
-
I believe that snort is not running on my SME 5.6 system
If I run /etc/rc.d/init.d/snortd restart
I get
Stopping snort: [ FAILED ]
Starting snort: [ OK ]
I thought that if I ran
ps -ef | grep snort
that I would get a responce more than the process of my querry.
I have un-istalled together with Acid and Guardian and then re-installed a number of time with no change in the outcome.
Can anyone offer some guidance of what I should try next.
Thanks in advance
Dave
-
Hi,
Do you have an dinamyc IP adress??
I have the same problem on reupping outinterface I have to add snort restart.
regards,
-
No, I have a static IP.
Guardian appears to be working fine if I do a ps -ef |grep gua the process is shown as to be running.
Acid appears to be running, simply by looking at the web interface, although nothing is being logged, which I take it is because snort isn't running.
Dave
-
Look at your messages log and verify snort is starting properly. I suspect it's dying due to a "fatal error" in the config file.
-
I've looked in my boot.log and see the following
Feb 17 17:59:10 vicky snort-mysql: Initializing Output Plugins!
Feb 17 17:59:10 vicky snortd: snort-mysql startup succeeded
So I'm not sure. All I have to go on is that I am not getting anything showing up in ACID and ip blocking occurs.
-
I've looked in my boot.log and see the following
Feb 17 17:59:10 vicky snort-mysql: Initializing Output Plugins!
Feb 17 17:59:10 vicky snortd: snort-mysql startup succeeded
So I'm not sure. All I have to go on is that I am not getting anything showing up in ACID and ip blocking doesen't occur.
-
Ah, well once I do what I'm asked and look in the right place
Feb 17 17:59:12 vicky snort-mysql: Portscan2 config:
Feb 17 17:59:13 vicky snort-mysql: log: /var/log/snort/scan.log
Feb 17 17:59:13 vicky snort-mysql: scanners_max: 3200
Feb 17 17:59:13 vicky snort-mysql: targets_max: 5000
Feb 17 17:59:13 vicky snort-mysql: target_limit: 5
Feb 17 17:59:13 vicky snort-mysql: port_limit: 20
Feb 17 17:59:13 vicky snort-mysql: timeout: 60
Feb 17 17:59:14 vicky snort-mysql: FATAL ERROR: ERROR: Unable to open rules file: .//bad-traffic.rules or /etc/snort/.//bad-traffic.rules
So what have I done to cause this ???
I don't understand the path /etc/snort/.//
Is that what the problem is ???
Dave
-
Hi Dave
Got a chance to play around with snort today. The problem is the path to the rules is wrong (as you have guessed) Go to the file /etc/snort/snort.conf and look for the part of the file that starts out with
# Path to you rules files (this can be a relative path)
var RULE_PATH ./
change it to
var RULE_PATH /etc/snort/rules
and that should do it. With mc that part of the file will be about 14% down.
HTH
Floyd
-
Thanks Floyd.
I have done as you suggested, rebotted and now await some blocking to occur with guardian and some update on acid.
I'll let you know how I go.
Thanks again.
Dave
-
Ah, Well just checked my messages log file and found
Feb 23 18:56:34 vicky snort-mysql: FATAL ERROR: ERROR: Unable to open rules file: ./etc/snort/rules/bad-traffic.rules or /etc/snort/./etc/snort/rules/bad-traffic.rules
Right So I have manually run the command
wget http://www.snort.org/dl/rules/snortrules-stable.tar.gz
Which returned errors
So I investigated that and found the path on the snort site has changed. Now this could be because the versin is now out of date, I dont know, but the wget command now needs to be
wget http://www.snort.org/dl/rules/old/snortrules-stable.tar.gz
old has been inserted after thr rules directory.
I also changed the var RULE_PATH that Floyd mentioned to read /etc/snort instead of /etc/snort/rules
ACID doesn't seem to be reporting anything, but only time will tell.
Maybe I should now un-install and re-install everything :-)
Regards
Dave