Snort mailing list archives
Re: running snort
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 29 Mar 2017 23:29:56 +0000
No only has his user been removed, but he’s been banned. No, I don’t mind swearing. But we don’t need to be rude and inconsiderate at the same time. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Mar 29, 2017, at 6:18 PM, Dan Fulop <dan () fulop org<mailto:dan () fulop org>> wrote: How do I get off this fucking spam list? On Mar 29, 2017, at 6:04 PM, Russ <rucombs () cisco com<mailto:rucombs () cisco com>> wrote: That is a Snort 2.X conf. You need a completely different beast for Snort 3.0. Look at the conf installed in <install_path>/etc/snort.sort.lua or in the source tree in lua/snort.lua. The README has more info to get you started. On 3/29/17 5:57 PM, bobby wrote: I am trying to run snort 3 on ubuntu 16.04 x64. sudo /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp1s0 -D FATAL: can't load /etc/snort/snort.conf: /etc/snort/snort.conf:2: unexpected symbol near '#' Fatal Error, Quitting.. And here are the first several lines: sudo cat snort.conf #-------------------------------------------------- # VRT Rule Packages Snort.conf # # For more information visit us at: # http://www.snort.org Snort Website # http://vrt-blog.snort.org/ Sourcefire VRT Blog # # Mailing list Contact: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> # False Positive reports: fp () sourcefire com<mailto:fp () sourcefire com> # Snort bugs: bugs () snort org<mailto:bugs () snort org> # # Compatible with Snort Versions: # VERSIONS : 2.9.7.0 # # Snort build options: # OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 # # Additional information: # This configuration file enables active response, to run snort in # test mode -T you are required to supply an interface -i <interface> # or test mode will fail to fully validate the configuration and # exit with a FATAL error #-------------------------------------------------- ################################################### # This file contains a sample snort configuration. # You should take the following steps to create your own custom configuration: # # 1) Set the network variables. # 2) Configure the decoder # 3) Configure the base detection engine # 4) Configure dynamic loaded libraries # 5) Configure preprocessors # 6) Configure output plugins # 7) Customize your rule set # 8) Customize preprocessor and decoder rule set # 9) Customize shared object rule set ################################################### portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] ################################################### # Step #1: Set the network variables. For more information, see README.variables ################################################### # Setup the network addresses you are protecting # # Note to Debian users: this value is overriden when starting # up the Snort daemon through the init.d script by the # value of DEBIAN_SNORT_HOME_NET s defined in the # /etc/snort/snort.debian.conf configuration file # ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any # If HOME_NET is defined as something other than "any", alternative, you can # use this definition if you do not want to detect attacks from your internal # IP addresses: #ipvar EXTERNAL_NET !$HOME_NET # List of DNS servers on your network ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network ipvar SSH_SERVERS $HOME_NET # List of ftp servers on your network ipvar FTP_SERVERS $HOME_NET # List of sip servers on your network ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381, 2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145, 7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118, 8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080, 9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] How do I fix this? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- running snort bobby (Mar 29)
- Re: running snort Russ (Mar 29)
- Re: running snort Dan Fulop (Mar 29)
- Re: running snort Al Lewis (allewi) (Mar 29)
- Re: running snort Luke Ager (Mar 29)
- Re: running snort Joel Esler (jesler) (Mar 29)
- Re: running snort Dan Fulop (Mar 29)
- Re: running snort Russ (Mar 29)