Re: Startup error post-package install

[Research <research () nativemethods com>]

On Feb 26, 2015, at 12:45 PM, James Lay <jlay () slave-tothe-box net> wrote:

> On Thu, 2015-02-26 at 12:11 -0500, Research wrote:
> > Hello,
> >
> > I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c) 2015).  I am 
> > currently just focussing on getting Snort up and running and plan to read the full Snort documentation set next.
> >
> > Installing on Ubuntu 12.0.4.5 LTS via the following:
> >
> >      sudo apt-get install snort
> >
> > …installs Snort.  Verision is:
> >
> >      snort -V
> >
> > …returning "Version 2.9.2 IPv6 GRE (Build 78)”.
> >
> > I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:
> >
> >      var RULE_PATH /etc/snort/rules
> >
> > I then attempted to start Snort in non-daemon mode with:
> >
> >      sudo snort start -c /etc/snort/snort.conf
> >
> > …however I receive the following and then termination:
> >
> >      (lines omitted)
> >      +++++++++++++++++++++++++++++++++++++++++++++++++++
> >      Initializing rule chains...
> >      WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
> >      ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS.
> >      Fatal Error, Quitting..
> >
> > At this point, however, I have not edited any of the default rules or snort.conf configuration file.
> >
> > If I then run Snort in daemon mode, there is success - Snort does not terminate - and I see alerts in the snort.log 
> > file.
> >
> > What is going wrong on the non-daemon start that is causing it to terminate ?
> >
> > Thanks
> I suggest you reference:
>
> https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
>
> Installing and upgrading from source matches well with the speed at which snort is updated (current version is 
> 2.9.7....2.9.2 is ANCIENT).  I do not know of any repos that keep a current version of snort.
>
> James

Hi James,

Thank you for the document outlining installing from source.  I will proceed to try that out in a test VM and then 
replicate the process on my web server.

Out of curiosity - have later versions of Snort (such as 2.9.7 as you mention), rectified the problem I ran into or is 
it likely the same thing will happen.  I ask because I appreciate knowing about the latest version and will install it, 
but wonder if it will address the issue of snort terminating when I run it in non-daemon mode ?

Thanks

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!