In snort 2.4.1, the base rules disappear causing snort to not start. In 2.3.3-r1, snort rules were moved from /etc/snort to /etc/snort/rules for housekeepings sake. Starting in 2.4.1, the base rules disappeared altogether. I think this is because they were taken out of the main snort.tar.gz and put into a seperate archive. There are different versions of the snort rules: subscription release, registered user release, and unregistered user release (which i think most of the gentoo userbase falls into). Because the base rules were removed, snort refuses to start because the files that it is looking for in /etc/snort/rules is missing. The easy fix for this is to add the archive for the official snort ruleset (unregistered version of course) to the snort ebuild. http://www.snort.org/pub-bin/downloads.cgi Current Official Ruleset for Unregistered Users: http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz Reproducible: Always Steps to Reproduce: 1. emerge -C snort 2. rm -r /etc/snort/ (to remove all rules for a clean install) 3. emerge >=net-analyzer/snort-2.4.1
Created attachment 71162 [details] Snort with basic rule set Added line 11 to include official ruleset for snort 2.4. Tested and it works fine for me.
Actually, looking at this a little bit further, i notice that i have just duplicated a few files that should only exist in /etc/snort/ and not in /etc/snort/rules/: classification.config gen-msg.map reference.config sid-msg.map snort.conf threshold.conf unicode.map These were in the snortrules-pr-2.4.tar.gz and thus moved to the rules folder along with the base rules. The init script for snort uses /etc/snort/snort.conf so removing the ./rules/snort.conf is safe. Another quick thought is that /etc/snort/snort.conf should be chmod 640 because there is a username/password to the database program.
I thought dragonheart / I fixed this in ~ a while back. Can you try snort 2.4.3 and let me know if its still a problem
$ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1.tbz2 | grep rules ./etc/snort/rules/ $ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1-r1.tbz2 | grep rules ./etc/snort/rules/ ./etc/snort/rules/community-mail-client.rules ./etc/snort/rules/community-web-client.rules ./etc/snort/rules/community-virus.rules ./etc/snort/rules/community-misc.rules ./etc/snort/rules/community-web-dos.rules ./etc/snort/rules/sid-msg.map ./etc/snort/rules/community-web-cgi.rules ./etc/snort/rules/community-ftp.rules ./etc/snort/rules/community-exploit.rules ./etc/snort/rules/community-web-misc.rules ./etc/snort/rules/community-inappropriate.rules ./etc/snort/rules/community-game.rules ./etc/snort/rules/community-sql-injection.rules $ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.3.tbz2 | grep rules ./etc/snort/rules/ ./etc/snort/rules/community-mail-client.rules ./etc/snort/rules/community-web-client.rules ./etc/snort/rules/community-virus.rules ./etc/snort/rules/community-misc.rules ./etc/snort/rules/community-web-dos.rules ./etc/snort/rules/sid-msg.map ./etc/snort/rules/community-web-cgi.rules ./etc/snort/rules/community-ftp.rules ./etc/snort/rules/community-exploit.rules ./etc/snort/rules/community-web-misc.rules ./etc/snort/rules/community-inappropriate.rules ./etc/snort/rules/community-game.rules ./etc/snort/rules/community-sql-injection.rules The community rules have been installed, but the base rules are missing in all of the 2.4.x builds.
theres no more base rules in snort AFAIK since they are selling them or am i wrong?
Thats why I made the link to the "Current Official Ruleset for Unregistered Users". These are available at the beginning of each new major release. They do have newer rule sets for those who are registered and those who subscribe, but people who are just now installing snort still need a basic set of rules. Current Official Ruleset for Unregistered Users: http://www.snort.org/pub-bin/downloads.cgi#PR http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
i'm not following the problem. We include the community rules and that is all you need to RUN snort. If you want more uptodate rules then go and get them. Are you saying that you need more then the community rules that are shipped with snort to get snort to run?
My apologies for being vague. I started this bug at about 2 in the morning after trying to figure out why snort wasn't working for me and I knew what I was talking about, though that aaparently didn't help me explain the problem any :) I will try to start from the beginning this time so I don't miss anything. On a gentoo system w/o Snort installed... 1. emerge =net-analyzer/snort-2.4.3 2. follow postinst instructions to make the snort mysql database 3. edit /etc/snort/snort.conf to access the mysql db output database: log, mysql, user=root password=test dbname=db host=localhost 4. /etc/init.d/snort start * Starting snort ... [ ok ] 5. ps x | grep snort 6648 pts/0 S+ 0:00 grep snort (Snort isn't actually running at this point) 6. /etc/init.d/snort stop * Stopping snort ... start-stop-daemon: warning: failed to kill 6587: No such process [ !! ] 7. /etc/init.d/snort zap * Manually resetting snort to stopped state. [ ok ] 8. snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf (This is essentially the line that the init script uses to start snort except I have replaced the -D [start daemon] with -T [test] to see what the problem is) Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode ... ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules Fatal Error, Quitting.. 9. Taking a look at the end of /etc/snort/snort.conf I see: ($RULE_PATH is defined as /etc/snort/rules earlier in the conf) include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules # Include any thresholding or suppression commands. See threshold.conf in the # <snort src>/etc directory for details. Commands don't necessarily need to be # contained in this conf, but a separate conf makes it easier to maintain them. # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\etc\threshold.conf # Uncomment if needed. # include threshold.conf -- These are all of the basic rules that are missing that stop snort from starting. The community rules are great, but they are suppose to be in addition to the basic rule set. The community rules aren't even being used, though, because none of the config files accesses them. I think that the basic rule set should be included into the snort ebuild so the most basic of users can just install the ebuild and start snort. The /most/ basic set is freely availble from snort.org from the links that I provided above. If the user is a registered user or a subscriber, then they should know how to download the newer rule sets that they have access to. Because the basic rule set for unregistered users only changes once every major release, this shouldn't be any undue burden on the ebuild maintainers. --- I think I have described the problem that I see in full now. But then again it took me about 45 minutes to write this because my son keeps trying to get my attention...
k the snort 2.4.3 should work after the emerge, i THOUGHT that dragonheart had commited a fix to touch /etc/snort/rules/local.rules which is all that needs to happen for snort to load up and work. I disagree that the basic rules should be included but I agree that I should add a warning to indicate that the user should go and get the appropriate ruleset. I'm not able to check now but if that fix for the local.rules is not in cvs then I will fix it myself in 12 hours or so when I am near one of my dev machines.
I installed snort 2.4.3 on another test box today. This box has never had snort on it. I tried your fix to: $ touch /etc/snort/rules/local.rules and then ran: $ snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf as I did before to test the config. Like before, the result was: Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode ... ERROR: Unable to open rules file: /etc/snort/rules/bad-traffic.rules or /etc/snort//etc/snort/rules/bad-traffic.rules Fatal Error, Quitting.. I then touched /etc/snort/rules/bad-traffic.rules and tried the test string again which resulted in the same error for exploit.rules which leads me to believe that either every file.rules in snort.conf needs to either be touched or commented out. This again doesn't fix the problem of the community rules not being loaded due to these rules not existing in a config file anywhere.
Created attachment 74173 [details, diff] Rules patch I noticed this problem on my amd64 box last night. I created a patch which works fine on my machine.
Basic rules are back in snort-2.4.3-r1, so now it should work by default in new installations. Donald, thanks for your patch, but I don't think it will be necessary anymore :-). Thanks for reporting!
