Re: Having a problem getting Snort rules implemented

[Stephen Gantz <stephen.gantz () faculty umuc edu>]

Justin,

You need to copy the community.rules file from the zip you downloaded into /etc/snort/rules. You also need to edit 
snort.conf (step #7 specifically) to add an include statement for community.rules and comment out all the others. The 
registered and subscriber rules packages contain all the rules files listed in snort.conf but the community rules are 
not structured the same way. If you want the rules files to line up with what is in snort.conf (or if you want to 
install the shared object rules to enable dynamic rule processing) you might consider creating a free account on 
snort.org and downloading the registered ruleset instead. 

If you haven't got any dynamic rules in your setup then you can comment out the line in step #4 that references the 
dynamic rules, but leave the other two lines enabled (dynamicpreprocessor directory and dynamic engine). Snort isn't 
much use without the preprocessors unless you just want to run in packet logger mode. 

Dr. Stephen D. Gantz
CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO
Professor of Information Assurance
The Graduate School
University of Maryland University College
stephen.gantz () faculty umuc edu

> On May 26, 2016, at 5:04 PM, justin hyland <jhyland87 () gmail com> wrote:
>
> Hello, new Snort user here. I just installed the latest version of Snort on a new CentOS7 server, following the 
> instructions from this article: http://www.unixmen.com/install-snort-nids-centos-7/ 
>
> It seemed to go pretty smoothly, except when I execute Snort, I get an error saying the rules at 
> /usr/local/lib/snort_dynamicrules don't exist. And when I look through the community rules I downloaded, I dont see 
> that in there at all. When I go and comment out the three dynamic rules lines and execute Snort again, I get another 
> error, saying that /etc/snort/rules/local.rules doesn't exist.
>
> The only thing in the /etc/snort/rules directory, is an iplists folder, which contains a default.blacklist.
>
> Did I do something wrong? or miss a step in the article? I'm not sure how to get these rules setup. It walks you 
> through installing pulledpork, but thats it.
>
>
> // ---------------------------
> Justin Hyland
> Linux Engineer/Software Developer/Technology Enthusiast
>
> It is the mark of an educated mind to be able to entertain a thought without accepting it. - Aristotle
>
> M: 602.740.0620
> E:  jhyland87 () gmail com
> W: www.justinhyland.com
> LI: https://www.linkedin.com/in/justin-hyland-a0b34b10
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!