When I add some rules to snort (e.g Network scan) snort enters a stopped state
/etc/snort.conf
As the error seems to be the variable RULE_PATH i added it to /etc/snort.conf
But still snort doesn't start
Any ideas?
/etc/snort.conf
include $RULE_PATH/gpl/scan.rules
systemctl status snort.service
● snort.service - SYSV: Snort Network Intrusion Detection System
Loaded: loaded (/etc/rc.d/init.d/snort)
Active: failed (Result: exit-code) since Sun 2016-10-16 10:40:57 SAST; 48s ago
Docs: man:systemd-sysv-generator(8)
Process: 21399 ExecStop=/etc/rc.d/init.d/snort stop (code=exited, status=0/SUCCESS)
Process: 21450 ExecStart=/etc/rc.d/init.d/snort start (code=exited, status=1/FAILURE)
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Output Plugins!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Preprocessors!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Plug-ins!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Parsing Rules file "/etc/snort.conf"
Oct 16 10:40:57 gateway.dc.lan snort[21464]: FATAL ERROR: /etc/snort.conf(2) Undefined variable name: RULE_PATH.
Oct 16 10:40:57 gateway.dc.lan snort[21450]: Starting snort: [FAILED]
Oct 16 10:40:57 gateway.dc.lan systemd[1]: snort.service: control process exited, code=exited status=1
Oct 16 10:40:57 gateway.dc.lan systemd[1]: Failed to start SYSV: Snort Network Intrusion Detection System.
Oct 16 10:40:57 gateway.dc.lan systemd[1]: Unit snort.service entered failed state.
Oct 16 10:40:57 gateway.dc.lan systemd[1]: snort.service failed.
As the error seems to be the variable RULE_PATH i added it to /etc/snort.conf
var RULE_PATH /etc/snort.d/rules
include $RULE_PATH/gpl/scan.rules
systemctl start snort.service
Job for snort.service failed because the control process exited with error code. See "systemctl status snort.service" and "journalctl -xe" for details.But still snort doesn't start
[root@gateway ~]# systemctl status snort.service
● snort.service - SYSV: Snort Network Intrusion Detection System
Loaded: loaded (/etc/rc.d/init.d/snort)
Active: failed (Result: exit-code) since Sun 2016-10-16 10:43:59 SAST; 19s ago
Docs: man:systemd-sysv-generator(8)
Process: 21399 ExecStop=/etc/rc.d/init.d/snort stop (code=exited, status=0/SUCCESS)
Process: 22348 ExecStart=/etc/rc.d/init.d/snort start (code=exited, status=1/FAILURE)
Oct 16 10:43:59 gateway.dc.lan snort[22364]: Parsing Rules file "/etc/snort.conf"
Oct 16 10:43:59 gateway.dc.lan snort[22364]: Tagged Packet Limit: 256
Oct 16 10:43:59 gateway.dc.lan snort[22364]: Log directory = /var/log/snort
Oct 16 10:43:59 gateway.dc.lan snort[22364]:
Oct 16 10:43:59 gateway.dc.lan snort[22364]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Oct 16 10:43:59 gateway.dc.lan snort[22348]: Starting snort: [FAILED]
Oct 16 10:43:59 gateway.dc.lan systemd[1]: snort.service: control process exited, code=exited status=1
Oct 16 10:43:59 gateway.dc.lan systemd[1]: Failed to start SYSV: Snort Network Intrusion Detection System.
Oct 16 10:43:59 gateway.dc.lan systemd[1]: Unit snort.service entered failed state.
Oct 16 10:43:59 gateway.dc.lan systemd[1]: snort.service failed.
Any ideas?
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
Hi Nick
Oct 17 15:50:34 gateway snort[1652]: Initializing rule chains...
Oct 17 15:50:34 gateway snort[1652]: FATAL ERROR: /etc/snort.d/rules/gpl/scan.rules(2) Undefined variable in the string: $EXTERNAL_NET.
Oct 17 15:50:34 gateway snort: Starting snort: [FAILED]
Seems like variables are not being correctly defined - I presume this config should be automotic and not have to be defined manually? -
Accepted Answer
Have a look at the snort log and/or /var/log/messages. There is probably a better error description there. Any error in the rules tends to make snort fall over completely.
If you are downloading the rules from Emerging Threats make sure you use the open-nogpl rules or you risk duplicate rule numbers which will cause snort to fall over.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »