Re: Startup error post-package install

[James Lay <jlay () slave-tothe-box net>]

On Thu, 2015-02-26 at 16:14 -0500, Research wrote:

> On Feb 26, 2015, at 2:34 PM, Y M <snort () outlook com> wrote:
>
>
>
> > > ERROR: /etc/snort/rules/community-virus.rules(19) !any is not
> > allowed: !$DNS_SERVERS.
> > > Fatal Error, Quitting..
> >
> >
> > This error is due to the fact that $DNS_SERVERS variable is defined
> > as any, however, you have a rule in "community-virus.rules" that
> > looks for IP addresses that are "not" in $DNS_SERVERS by using the
> > deny operator "!"; i.e.: the rules is negating any, which is not an
> > IP address. This is not a Snort error per se, you need to define the
> > IP addresses that should go into $DNS_SERVERS, $HOME_NET, etc so
> > that when the negation takes place, it negates IP addresses and not
> > the keyword any.
> >
> > > At this point, however, I have not edited any of the default rules
> > or snort.conf configuration file.
> > > If I then run Snort in daemon mode, there is success - Snort does
> > not terminate - and I see alerts in the snort.log file.
> > > What is going wrong on the non-daemon start that is causing it to
> > terminate ?
> > > Thanks
>
>
>
> Hi,
>
>
> I was able to follow the excellent documentation you mentioned, James,
> at: 
>
>
> https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
>
>
> …and successfully compiled the most up-to-date version.  Running:
>
>
> snort -V
>
>
> …results in:
>
>
> Version 2.9.7.0 GRE (Build 149)
>
>
> I continued to follow the instructions and filed in some of the
> variables, which Y M noted was likely causing problems in the default
> rules that were bundled in the Ubuntu package for the older version.
>  Running a test run on the correctness of the new config files yielded
> no errors.
>
>
> I then ran Snort with outputting to console and then created the test
> rule in the documentation that fires on ICMP traffic:
>
>
> alert icmp any any -> 1.2.3.4 any (msg:"ICMP test"; sid:10000001;
> rev:001;)
>
>
> …where 1.2.3.4 is the stand-in for my web servers public IP address.
>  Running ping against the server yielded the following on the console:
>
>
> 02/26-15:59:42.543423  [**] [1:10000001:1] ICMP test [**] [Priority:
> 0] {ICMP} 5.6.7.8 -> 1.2.3.4
>
>
> …which verified for me that operation was successful.
>
>
> One last question remains - my firewall is set to block all ICMP
> traffic and this shows up when running a ping on another machine
> against the firewall - the responses are dropped and ping breaks.
>  However, on the server that the firewall is on, Snort is able to see
> the ICMP traffic and fire the rule.
>
>
> Does this mean that Snort is looking at traffic *BEFORE* iptables
> blocks/allows it ?
>
>
> Thanks
>
> ------------------------------------------------------------------------------


Indeed it is.

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!