Snort mailing list archives
Re: Having a problem getting Snort rules implemented
From: Stephen Gantz <stephen.gantz () faculty umuc edu>
Date: Thu, 26 May 2016 17:30:30 -0400
Justin, You need to copy the community.rules file from the zip you downloaded into /etc/snort/rules. You also need to edit snort.conf (step #7 specifically) to add an include statement for community.rules and comment out all the others. The registered and subscriber rules packages contain all the rules files listed in snort.conf but the community rules are not structured the same way. If you want the rules files to line up with what is in snort.conf (or if you want to install the shared object rules to enable dynamic rule processing) you might consider creating a free account on snort.org and downloading the registered ruleset instead. If you haven't got any dynamic rules in your setup then you can comment out the line in step #4 that references the dynamic rules, but leave the other two lines enabled (dynamicpreprocessor directory and dynamic engine). Snort isn't much use without the preprocessors unless you just want to run in packet logger mode. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu
On May 26, 2016, at 5:04 PM, justin hyland <jhyland87 () gmail com> wrote: Hello, new Snort user here. I just installed the latest version of Snort on a new CentOS7 server, following the instructions from this article: http://www.unixmen.com/install-snort-nids-centos-7/ It seemed to go pretty smoothly, except when I execute Snort, I get an error saying the rules at /usr/local/lib/snort_dynamicrules don't exist. And when I look through the community rules I downloaded, I dont see that in there at all. When I go and comment out the three dynamic rules lines and execute Snort again, I get another error, saying that /etc/snort/rules/local.rules doesn't exist. The only thing in the /etc/snort/rules directory, is an iplists folder, which contains a default.blacklist. Did I do something wrong? or miss a step in the article? I'm not sure how to get these rules setup. It walks you through installing pulledpork, but thats it. // --------------------------- Justin Hyland Linux Engineer/Software Developer/Technology Enthusiast It is the mark of an educated mind to be able to entertain a thought without accepting it. - Aristotle M: 602.740.0620 E: jhyland87 () gmail com W: www.justinhyland.com LI: https://www.linkedin.com/in/justin-hyland-a0b34b10 ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Having a problem getting Snort rules implemented justin hyland (May 26)
- Re: Having a problem getting Snort rules implemented Al Lewis (allewi) (May 26)
- Re: Having a problem getting Snort rules implemented Stephen Gantz (May 26)