Fatal Error /etc/snort/rules/exploit.rules
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Super User Questions Tags Users Badges Unanswered Ask Question _ Super User is a question and answer site for computer enthusiasts and power users. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top OSX: Snort: ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file “/etc/snort/../rules/local.rules”: No such file or directory up vote -2 down vote favorite 1 I'm trying to setup and run Snort IDS on mac using this kinda tutorial: https://discussions.apple.com/thread/3370709?start=0&tstart=0 OSX Yosemite (10.10.2); PostgreSQL 9.4.1 (installed with Homebrew) Snort: stable 2.9.7.0 (installed with Homebrew) When I finally try to star it like this: $ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf Getting this: Password: Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory. Fatal Error, Quitting.. The rule is actually on place at /etc/snort/rules/local.rules RULE_PATH is set in /etc/snort/snort.conf to /etc/snort/rules So: $ echo $RULE_PATH /etc/snort/rules trying this: $ grep RULE_PATH /etc/snort/snort.conf var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules ... Well after changing var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules to var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules Getting: $ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database" Fatal Error, Quitting.. Line 741 in /etc/snort/snort.conf is: output database: log, postgresql, user=snort password=password dbname=snort host=localhost So since snort 2.9.3.0 direct database output isn't supported anymore. I should use snort's
on JIRA. Start a trial and get your shirt. On this page Installing Fixing the snort.conf Setting up the MySQL Database for Snort. Moving ADOdb and BASE Installing Lets start with: LIBPCAP. Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp cd into the libcap map: cd libpcap-0.9.4 and make / install LIBPCAP: ./configure make make install Next is PCRE. Again, make sure that you are in the directory that you downloaded all files. cd /root/snorttemp cd into the PCRE map: cd pcre-6.3 and make / install pce-6.3 ./configure http://superuser.com/questions/885336/osx-snort-error-etc-snort-rules-local-rules0-unable-to-open-rules-file make make install Now it time for Snort: Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp cd into the snort map: cd snort-2.6.0 and make / install Snort with some extra needed options! ./configure --enable-dynamicplugin --with-mysql make make install Snort needs some maps, so let’s create them: mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort Moving the Snort files from the installation https://www.howtoforge.com/intrusion_detection_base_snort_p3 map to the just created maps. Make sure that you are in the directory that you downloaded all files. cd /root/snorttemp and cd into snort-2.6.0: cd snort-2.6.0 and into the rules cd rules now we copy all files from the /rules into /etc/snort/rules cp * /etc/snort/rules We will do the same for the files in the install /etc folder: cd ../etc cp * /etc/snort Fixing the snort.conf The /etc/snort/snort.conf needs some tuning to get it to work on your system! So cd into /etc/snort: cd /etc/snort and open snort.conf with nano (or any other 'text' editor) nano snort.conf change "var HOME_NET any" to "var HOME_NET 192.168.0.5/32" change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules" As we made snort with the '--with-mysql' option and as BASE needs it, we also need to tell Snort what database to use. Scroll down till you see "# output database", and remove the # in front of the line for the MySQL. Now also change the "user", "password" and "dbname". Make a note of this as you will need it later! Save the file and close 'nano' Setting up the MySQL Database for Snort. There are many ways
instructions: Windows Mac Red Hat Linux Ubuntu Click URL instructions: Right-click on ad, choose "Copy Link", then paste here → (This may not be possible with some types of ads) More information about our ad policies X You seem https://sourceforge.net/p/snort/mailman/message/32257835/ to have CSS turned off. Please don't fill out this field. You seem to have https://forums.freebsd.org/threads/48380/ CSS turned off. Please don't fill out this field. Briefly describe the problem (required): Upload screenshot of ad (required): Select a file, or drag & drop file here. ✔ ✘ Please provide the ad click URL, if possible: Home Browse Snort Mailing Lists Snort Brought to you by: andrewbaker, joelesler, roesch Summary Files Reviews Support Wiki Mailing Lists fatal error snort-devel snort-openappid snort-sigs snort-users Re: [Snort-users] FATAL ERROR: /etc/snort/snort.conf(0) Unable to open rules file "/etc/snort/snort.conf": Permission denied.#012 Re: [Snort-users] FATAL ERROR: /etc/snort/snort.conf(0) Unable to open rules file "/etc/snort/snort.conf": Permission denied.#012 From: Jeremy Hoel