[techtalk] Should I feel honored?

Nicole Zimmerman colby at wsu.edu
Sat Apr 21 15:07:21 EST 2001 

One thing you might try is

dpkg-reconfigure snort

And if you tell snort to start at boot, you can also start/stop it by
running:

/etc/init.d/snort [start|stop|restart]

There is also an important file snort.debian.conf (this is what
dpkg-reconfigure changes) that determines how snort is started and what
the "home network" is.

The /etc/init.d/snort might also be created by default, just not attached
to any runlevels. You should be able to use /etc/init.d/snort to start and
stop it anyway. You can specify the runtime options by editing the
/etc/snort/snort.debian.conf or dpkg-reconfigure snort.

Now to the configuration file problem :o)

I snipped it up.

If you installed snort from stable and are getting a 1.7+ configuration
file by default, I suggest filing a bug against the package. apt-get
install reportbug and run reportbug to do this easily :o)

I have snort 1.5.1-11 on my stable box and I think the config works fine
(when I /etc/init.d/snort start it works ok with no errors).

You know what is strange. My /etc/snort/snort.conf is a really short list
of debian rules:

-----
# This file is used for options that are changed by Debian to leave
# the original lib files untouched.
# You have to use "dpkg-reconfigure snort" to change them.

DEBIAN_SNORT_STARTUP=boot
DEBIAN_SNORT_HOME_NET="63.161.24.0/22"
DEBIAN_SNORT_OPTIONS=" -i eth0"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_TRESHOLD="1"

-----

And when I run dpkg-reconfigure snort on that box, all it does is stop and
restart snort. How odd!

-nicole

At 14:13 on Apr 21, Kath combined all the right letters to say:

> This is the error I am receiving: ERROR line snort.conf (227) => Unknown
> rule type: output
>
> # This example will create a rule type that will log to syslog
> #
> #
> output alert_syslog: LOG_AUTH LOG_ALERT #!!!!!!!!!!!!!!!!!!!!!!!!!! LINE IN
> QUESTION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> 
> 
> Okay, thats it.
> 
> WAIT, I just looked at the version on snort and it is 1.5.1 and this file
> says it only works for 1.7.0+.  Could that be it?
> 
> Could you possibly send me a copy of your snort.conf?  What I really just
> want it to do is log attacks like the rpc.statd that happened so I can try
> to get the offenders IP address.
> 
> - Kath

More information about the Techtalk mailing list