这是我第一次使用 snort。我无法让它运行。我跟着本教程确实如此。而且我已经Fedora 21。
以下是输出snort -c /etc/snort/snort.conf -v -i enp0s3:
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory.
Fatal Error, Quitting..
问题在日志的最后。看起来不严重,但我搞不清楚。这是我编辑的部分snort配置文件:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
我认为导致问题的规则是:
include $RULE_PATH/app-detect.rules
答案1
我编辑了路径变量以使它们成为相对的:
var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
和下载了规则,将它们提取到/etc/snort/rules/,现在就可以正常工作了。
答案2
似乎
/etc/snort//etc/snort/
这是一个双路径配置,这可能是 Snort 防火墙的问题所在。
- 尝试检查是否存在双重 $RULE_PATH,或者如果这不是全局变量,请尝试删除 /etc/snort/。
答案3
您可以尝试的一种选择是注释导致问题的规则的路径。注释包含 app-detect.rules 的行将导致当您运行 snort 时错误会改变,并且它将引用另一个规则路径。您可以通过在它们前面添加“#”来手动注释所有这些,或者使用以下代码行:
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
答案4
使用 Server snort 中的命令
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf