Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort NIDS

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sat, 7 Feb 2015 21:03:52 +0000

On Feb 6, 2015, at 7:29 PM, rezaa abedi <nndreza () yahoo com<mailto:nndreza () yahoo com>> wrote:

Hi all,

I installed snort in my ubuntu machine and I need to edit Snort’s main configuration file, /etc/snort/snort.conf. When 
I run Snort with
this file as an argument, it tells Snort to run in NIDS mode.
Before I run Snort in NIDS mode, I need to make a few edits to the default configuration file. I need to
comment out all of the individual rule files that are referenced in the Snort configuration file, since instead
of downloading each file individually, I will use PulledPork to manage our rulesets, which combines all the
rules into a single file. The following line supposed to comment out all rulesets in our snort.conf file but it does 
not work?

sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

any ideas please ? This is the error I get every time when I run  the above command:
$~/snort_src/snort-2.9.7.0$ sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf
sed: -e expression #1, char 1: unknown command: `�’

Looks like your error is listed above.  So let’s examine your command:

sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

The error being in the first “apostrophe”.  You don’t have a true apostrophe there.  What you are wanting to do is 
probably:

sudo sed -i 's/include\ \$RULE\_PATH/#include\ \$RULE\_PATH/' /etc/snort/snort.conf


That being said, the above will not turn off all rules in the snort.conf, that will just comment out the RULE_PATH, 
which will cause more errors.  You probably want to remove all the “include $RULE_PATH/<rulefile>.rules” lines in your 
snort.conf and replace them all with a single entry of snort.rules.



--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: