Re: Unable to run Snort in IPS mode

["Sharma, Ashish" <ashish.sharma3 () hp com>]

Rmkml,

Please find attached my 'local.rules' file.

Thanks
Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml () free fr] 
Sent: Monday, February 22, 2010 6:49 PM
To: Sharma, Ashish
Cc: rmkml () free fr
Subject: RE: [Snort-users] Unable to run Snort in IPS mode

ok thx you Sharma,
could you send local.rules please?
Regards
Rmkml


On Mon, 22 Feb 2010, Sharma, Ashish wrote:

> Rmkml,
>
> First of all thanks for helping.
>
> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>
> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are 
> there, then 'Snort' is able to run fine and alerts are generated and logged.
>
> For your reference my 'Snort.conf' is attached.
>
> Thanks for helping again.
>
> Ashish Sharma
>
> -----Original Message-----
> From: rmkml [mailto:rmkml () free fr]
> Sent: Monday, February 22, 2010 5:15 PM
> To: Sharma, Ashish
> Cc: rmkml () free fr
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> Hi Sharma,
> you start snort with cmd line:
>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
> please remove space like ... -c /etc/snort/snort.conf ...
> on your snort.conf, what is RULE_PATH variable contains please? or send
> snort.conf...
> Regards
> Rmkml
>
>
> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>
> > Hi,
> >
> > I have a fedora core 10 virtual machine running on a sun virtual box.
> >
> > I am trying to run Snort on this machine in IPS mode.
> >
> > I followed the following steps (I had already installed the prerequisites for Snort IPS):
> >
> > 1. Downloaded 'snort-2.8.5.2.tar.gz'
> > 2. Extracted the binaries.
> > 3. did './configure --enable-inline'
> > 4. did 'make'
> > 5. did 'make install'
> > 6. copied snort rules and snort conf at appropriate location.
> > 7. executed the following command :
> > 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
> > 8. Snort launches with the traces :
> >
> > Enabling inline operation
> > Running in IDS mode
> >
> > --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Initializing Preprocessors!
> > ..................................
> >
> > Initializing rule chains...
> > ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
> > Fatal Error, Quitting..
> >
> > 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, 
> > same is the case for 'sdrop' rule also.
> >
> > 9. What is the problem , please help!!!!!
> >
> > What should I do in all to let my Snort run in IPS mode
> >
> > Thanks in advance
> >
> > Ashish Sharma

Attachment: local.rules
Description: local.rules

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users