Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Startup error post-package install

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 26 Feb 2015 10:45:34 -0700
On Thu, 2015-02-26 at 12:11 -0500, Research wrote:


Hello,

I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c) 2015).  I am 
currently just focussing on getting Snort up and running and plan to read the full Snort documentation set next.

Installing on Ubuntu 12.0.4.5 LTS via the following:

      sudo apt-get install snort

…installs Snort.  Verision is:

      snort -V

…returning "Version 2.9.2 IPv6 GRE (Build 78)”.

I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:

      var RULE_PATH /etc/snort/rules

I then attempted to start Snort in non-daemon mode with:

      sudo snort start -c /etc/snort/snort.conf

…however I receive the following and then termination:

      (lines omitted)
      +++++++++++++++++++++++++++++++++++++++++++++++++++
      Initializing rule chains...
      WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
      ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
      Fatal Error, Quitting..

At this point, however, I have not edited any of the default rules or snort.conf configuration file.

If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log 
file.

What is going wrong on the non-daemon start that is causing it to terminate ?

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



I suggest you reference:

https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts

Installing and upgrading from source matches well with the speed at
which snort is updated (current version is 2.9.7....2.9.2 is ANCIENT).
I do not know of any repos that keep a current version of snort.

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: