Snort mailing list archives

Re: Having trouble editing the configuration file for Windows

From: Trevor Thompson <trevthom18 () gmail com>
Date: Fri, 25 Jul 2014 16:25:04 -0400

I managed to fix the problem. I commented out all of the different rules
files that were included in the configuration file in Snort and after doing
so I was able to run Snort using the snort.conf file as a argument. Thanks,
everyone, for helping me solve this configuration issues that I am having.
Here are the edits that I made in case anyone else manages to run into the
same problem:

# site specific rules
# include $RULE_PATH\local.rules
# include $RULE_PATH\file-identify.rules
# include $RULE_PATH\app-detect.rules
# include $RULE_PATH\attack-responses.rules
# include $RULE_PATH\backdoor.rules
# include $RULE_PATH\bad-traffic.rules
# include $RULE_PATH\blacklist.rules
# include $RULE_PATH\botnet-cnc.rules
# include $RULE_PATH\browser-chrome.rules
# include $RULE_PATH\browser-firefox.rules
# include $RULE_PATH\browser-ie.rules
# include $RULE_PATH\browser-other.rules
# include $RULE_PATH\browser-plugins.rules
# include $RULE_PATH\browser-webkit.rules
# include $RULE_PATH\chat.rules
# include $RULE_PATH\content-replace.rules
# include $RULE_PATH\ddos.rules
# include $RULE_PATH\dns.rules
# include $RULE_PATH\dos.rules
# include $RULE_PATH\experimental.rules
# include $RULE_PATH\exploit-kit.rules
# include $RULE_PATH\exploit.rules
# include $RULE_PATH\file-executable.rules
# include $RULE_PATH\file-flash.rules
# include $RULE_PATH\file-image.rules
# include $RULE_PATH\file-java.rules
# include $RULE_PATH\file-multimedia.rules
# include $RULE_PATH\file-office.rules
# include $RULE_PATH\file-other.rules
# include $RULE_PATH\file-pdf.rules
# include $RULE_PATH\finger.rules
# include $RULE_PATH\ftp.rules
# include $RULE_PATH\icmp.rules
# include $RULE_PATH\imap.rules
# include $RULE_PATH\indicator-compromise.rules
# include $RULE_PATH\indicator-obfuscation.rules
# include $RULE_PATH\indicator-scan.rules
# include $RULE_PATH\indicator-shellcode.rules
# include $RULE_PATH\info.rules
# include $RULE_PATH\malware-backdoor.rules
# include $RULE_PATH\malware-cnc.rules
# include $RULE_PATH\malware-other.rules
# include $RULE_PATH\malware-tools.rules
# include $RULE_PATH\misc.rules
# include $RULE_PATH\multimedia.rules
# include $RULE_PATH\mysql.rules
# include $RULE_PATH\netbios.rules
# include $RULE_PATH\nntp.rules
# include $RULE_PATH\oracle.rules
# include $RULE_PATH\os-linux.rules
# include $RULE_PATH\os-mobile.rules
# include $RULE_PATH\os-other.rules
# include $RULE_PATH\os-solaris.rules
# include $RULE_PATH\os-windows.rules
# include $RULE_PATH\other-ids.rules
# include $RULE_PATH\p2p.rules
# include $RULE_PATH\phishing-spam.rules
# include $RULE_PATH\policy-multimedia.rules
# include $RULE_PATH\policy-other.rules
# include $RULE_PATH\policy.rules
# include $RULE_PATH\policy-social.rules
# include $RULE_PATH\policy-spam.rules
# include $RULE_PATH\pop2.rules
# include $RULE_PATH\pop3.rules
# include $RULE_PATH\protocol-dns.rules
# include $RULE_PATH\protocol-finger.rules
# include $RULE_PATH\protocol-ftp.rules
# include $RULE_PATH\protocol-icmp.rules
# include $RULE_PATH\protocol-imap.rules
# include $RULE_PATH\protocol-nntp.rules
# include $RULE_PATH\protocol-pop.rules
# include $RULE_PATH\protocol-rpc.rules
# include $RULE_PATH\protocol-scada.rules
# include $RULE_PATH\protocol-services.rules
# include $RULE_PATH\protocol-snmp.rules
# include $RULE_PATH\protocol-telnet.rules
# include $RULE_PATH\protocol-tftp.rules
# include $RULE_PATH\protocol-voip.rules
# include $RULE_PATH\pua-adware.rules
# include $RULE_PATH\pua-other.rules
# include $RULE_PATH\pua-p2p.rules
# include $RULE_PATH\pua-toolbars.rules
# include $RULE_PATH\rpc.rules
# include $RULE_PATH\rservices.rules
# include $RULE_PATH\scada.rules
# include $RULE_PATH\scan.rules
# include $RULE_PATH\server-apache.rules
# include $RULE_PATH\server-iis.rules
# include $RULE_PATH\server-mail.rules
# include $RULE_PATH\server-mssql.rules
# include $RULE_PATH\server-mysql.rules
# include $RULE_PATH\server-oracle.rules
# include $RULE_PATH\server-other.rules
# include $RULE_PATH\server-samba.rules
# include $RULE_PATH\server-webapp.rules
# include $RULE_PATH\shellcode.rules
# include $RULE_PATH\smtp.rules
# include $RULE_PATH\snmp.rules
# include $RULE_PATH\specific-threats.rules
# include $RULE_PATH\spyware-put.rules
# include $RULE_PATH\sql.rules
# include $RULE_PATH\telnet.rules
# include $RULE_PATH\tftp.rules
# include $RULE_PATH\virus.rules
# include $RULE_PATH\voip.rules
# include $RULE_PATH\web-activex.rules
# include $RULE_PATH\web-attacks.rules
# include $RULE_PATH\web-cgi.rules
# include $RULE_PATH\web-client.rules
# include $RULE_PATH\web-coldfusion.rules
# include $RULE_PATH\web-frontpage.rules
# include $RULE_PATH\web-iis.rules
# include $RULE_PATH\web-misc.rules
# include $RULE_PATH\web-php.rules
# include $RULE_PATH\x11.rules

# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/browser-ie.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/file-flash.rules
# include $SO_RULE_PATH/icmp.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/snmp.rules
# include $SO_RULE_PATH/specific-threats.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-iis.rules
# include $SO_RULE_PATH/web-misc.rules

With all of these commented I could run Snort with a simple rule just to
test the functionality of running the software with the snort.conf file and
it worked!


On Fri, Jul 25, 2014 at 4:04 PM, waldo kitty <wkitty42 () windstream net>
wrote:

On 7/24/2014 3:35 PM, Trevor Thompson wrote:

I believe the classification.conf file is in the proper directory here

are the

lines in the snort.conf file that reference it:

include C:\snort\etc\classification.config
include C:\snort\etc\reference.config

I also searched the entire contents of the Snort directory installed on

the C

drive and could only find the classification file within the etc

directory at

the exact path that the snort.conf file says that I should look for.


ok... and there's not one in your rules directory? if there is it should
not be
being read according to your snort.conf...

the only other thing i can think of right now is file permissions and
ownership... do they allow snort to read that file as the user it is
running as?

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Having trouble editing the configuration file for Windows Trevor Thompson (Jul 23)
- Re: Having trouble editing the configuration file for Windows Michael Steele (Jul 23)
- Re: Having trouble editing the configuration file for Windows waldo kitty (Jul 23)
  - Re: Having trouble editing the configuration file for Windows Trevor Thompson (Jul 24)
    - Re: Having trouble editing the configuration file for Windows waldo kitty (Jul 24)
    - Re: Having trouble editing the configuration file for Windows Trevor Thompson (Jul 24)
    - Re: Having trouble editing the configuration file for Windows waldo kitty (Jul 25)
    - Re: Having trouble editing the configuration file for Windows Trevor Thompson (Jul 25)