Snort mailing list archives
RE: start snort in IDS mode
From: "William Fitzgerald" <wfitzgerald () tssg org>
Date: Thu, 10 Feb 2005 14:22:32 -0000
I wonder if you have the rules directory in the correct place. you should have: /opt/snort/etc /opt/snort/rules in the snort.conf file: # Path to your rules files (this can be a relative path) var RULE_PATH ../rules this goes up one directory from etc to rules. if you copied the rules to the etc directory then change the RULES_PATH to reflect this. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Plantier, Spencer Sent: 10 February 2005 14:17 To: snort-users () lists sourceforge net Subject: [Snort-users] start snort in IDS mode I got IDS to start but I got the following output: opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i hme0 Running in IDS mode Initializing Network Interface hme0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface hme0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /opt/snort/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /opt/snort/etc/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 ERROR: /opt/snort/etc/../rules(1) => NULL rule type Fatal Error, Quitting.. #
Current thread:
- start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- <Possible follow-ups>
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode Plantier, Spencer (Feb 11)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode Alex Butcher, ISC/ISYS (Feb 16)