Re: running snort

["Al Lewis (allewi)" <allewi () cisco com>]

Try this:

Please go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com 








On 3/29/17, 6:18 PM, "Dan Fulop" <dan () fulop org> wrote:

> How do I get off this fucking spam list?
>
> > On Mar 29, 2017, at 6:04 PM, Russ <rucombs () cisco com> wrote:
> >
> > That is a Snort 2.X conf.  You need a completely different beast for 
> > Snort 3.0.  Look at the conf installed in 
> > <install_path>/etc/snort.sort.lua or in the source tree in 
> > lua/snort.lua.  The README has more info to get you started.
> >
> > > On 3/29/17 5:57 PM, bobby wrote:
> > > I am trying to run snort 3 on ubuntu 16.04 x64.
> > >
> > >  sudo /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i
> > > enp1s0 -D
> > > FATAL: can't load /etc/snort/snort.conf: /etc/snort/snort.conf:2:
> > > unexpected symbol near '#'
> > > Fatal Error, Quitting..
> > >
> > > And here are the first several lines:
> > >  sudo cat snort.conf
> > > #--------------------------------------------------
> > > #   VRT Rule Packages Snort.conf
> > > #
> > > #   For more information visit us at:
> > > #     http://www.snort.org                   Snort Website
> > > #     http://vrt-blog.snort.org/    Sourcefire VRT Blog
> > > #
> > > #     Mailing list Contact:      snort-sigs () lists sourceforge net
> > > #     False Positive reports:    fp () sourcefire com
> > > #     Snort bugs:                bugs () snort org
> > > #
> > > #     Compatible with Snort Versions:
> > > #     VERSIONS : 2.9.7.0
> > > #
> > > #     Snort build options:
> > > #     OPTIONS : --enable-gre --enable-mpls --enable-targetbased
> > > --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response
> > > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> > > #
> > > #     Additional information:
> > > #     This configuration file enables active response, to run snort in
> > > #     test mode -T you are required to supply an interface -i <interface>
> > > #     or test mode will fail to fully validate the configuration and
> > > #     exit with a FATAL error
> > > #--------------------------------------------------
> > >
> > > ###################################################
> > > # This file contains a sample snort configuration.
> > > # You should take the following steps to create your own custom
> > > configuration:
> > > #
> > > #  1) Set the network variables.
> > > #  2) Configure the decoder
> > > #  3) Configure the base detection engine
> > > #  4) Configure dynamic loaded libraries
> > > #  5) Configure preprocessors
> > > #  6) Configure output plugins
> > > #  7) Customize your rule set
> > > #  8) Customize preprocessor and decoder rule set
> > > #  9) Customize shared object rule set
> > > ###################################################
> > >
> > > portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
> > >
> > > ###################################################
> > > # Step #1: Set the network variables.  For more information, see
> > > README.variables
> > > ###################################################
> > >
> > > # Setup the network addresses you are protecting
> > > #
> > > # Note to Debian users: this value is overriden when starting
> > > # up the Snort daemon through the init.d script by the
> > > # value of DEBIAN_SNORT_HOME_NET s defined in the
> > > # /etc/snort/snort.debian.conf configuration file
> > > #
> > > ipvar HOME_NET any
> > >
> > > # Set up the external network addresses. Leave as "any" in most situations
> > > ipvar EXTERNAL_NET any
> > > # If HOME_NET is defined as something other than "any", alternative, you can
> > > # use this definition if you do not want to detect attacks from your
> > > internal
> > > # IP addresses:
> > > #ipvar EXTERNAL_NET !$HOME_NET
> > >
> > > # List of DNS servers on your network
> > > ipvar DNS_SERVERS $HOME_NET
> > >
> > > # List of SMTP servers on your network
> > > ipvar SMTP_SERVERS $HOME_NET
> > >
> > > # List of web servers on your network
> > > ipvar HTTP_SERVERS $HOME_NET
> > >
> > > # List of sql servers on your network
> > > ipvar SQL_SERVERS $HOME_NET
> > >
> > > # List of telnet servers on your network
> > > ipvar TELNET_SERVERS $HOME_NET
> > >
> > > # List of ssh servers on your network
> > > ipvar SSH_SERVERS $HOME_NET
> > >
> > > # List of ftp servers on your network
> > > ipvar FTP_SERVERS $HOME_NET
> > >
> > > # List of sip servers on your network
> > > ipvar SIP_SERVERS $HOME_NET
> > >
> > > # List of ports you run web servers on
> > > portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,
> > > 2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,
> > > 7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,
> > > 8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,
> > > 9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
> > >
> > >
> > > How do I fix this?
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!