Forums

Resolved
0 votes
When I add some rules to snort (e.g Network scan) snort enters a stopped state
/etc/snort.conf

include $RULE_PATH/gpl/scan.rules


systemctl status snort.service
● snort.service - SYSV: Snort Network Intrusion Detection System
Loaded: loaded (/etc/rc.d/init.d/snort)
Active: failed (Result: exit-code) since Sun 2016-10-16 10:40:57 SAST; 48s ago
Docs: man:systemd-sysv-generator(8)
Process: 21399 ExecStop=/etc/rc.d/init.d/snort stop (code=exited, status=0/SUCCESS)
Process: 21450 ExecStart=/etc/rc.d/init.d/snort start (code=exited, status=1/FAILURE)

Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Output Plugins!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Preprocessors!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Initializing Plug-ins!
Oct 16 10:40:57 gateway.dc.lan snort[21464]: Parsing Rules file "/etc/snort.conf"
Oct 16 10:40:57 gateway.dc.lan snort[21464]: FATAL ERROR: /etc/snort.conf(2) Undefined variable name: RULE_PATH.
Oct 16 10:40:57 gateway.dc.lan snort[21450]: Starting snort: [FAILED]
Oct 16 10:40:57 gateway.dc.lan systemd[1]: snort.service: control process exited, code=exited status=1
Oct 16 10:40:57 gateway.dc.lan systemd[1]: Failed to start SYSV: Snort Network Intrusion Detection System.
Oct 16 10:40:57 gateway.dc.lan systemd[1]: Unit snort.service entered failed state.
Oct 16 10:40:57 gateway.dc.lan systemd[1]: snort.service failed.


As the error seems to be the variable RULE_PATH i added it to /etc/snort.conf

var RULE_PATH /etc/snort.d/rules
include $RULE_PATH/gpl/scan.rules


systemctl start snort.service
Job for snort.service failed because the control process exited with error code. See "systemctl status snort.service" and "journalctl -xe" for details.


But still snort doesn't start

[root@gateway ~]# systemctl status snort.service
● snort.service - SYSV: Snort Network Intrusion Detection System
Loaded: loaded (/etc/rc.d/init.d/snort)
Active: failed (Result: exit-code) since Sun 2016-10-16 10:43:59 SAST; 19s ago
Docs: man:systemd-sysv-generator(8)
Process: 21399 ExecStop=/etc/rc.d/init.d/snort stop (code=exited, status=0/SUCCESS)
Process: 22348 ExecStart=/etc/rc.d/init.d/snort start (code=exited, status=1/FAILURE)

Oct 16 10:43:59 gateway.dc.lan snort[22364]: Parsing Rules file "/etc/snort.conf"
Oct 16 10:43:59 gateway.dc.lan snort[22364]: Tagged Packet Limit: 256
Oct 16 10:43:59 gateway.dc.lan snort[22364]: Log directory = /var/log/snort
Oct 16 10:43:59 gateway.dc.lan snort[22364]:
Oct 16 10:43:59 gateway.dc.lan snort[22364]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Oct 16 10:43:59 gateway.dc.lan snort[22348]: Starting snort: [FAILED]
Oct 16 10:43:59 gateway.dc.lan systemd[1]: snort.service: control process exited, code=exited status=1
Oct 16 10:43:59 gateway.dc.lan systemd[1]: Failed to start SYSV: Snort Network Intrusion Detection System.
Oct 16 10:43:59 gateway.dc.lan systemd[1]: Unit snort.service entered failed state.
Oct 16 10:43:59 gateway.dc.lan systemd[1]: snort.service failed.


Any ideas?
Sunday, October 16 2016, 08:45 AM
Share this post:
Responses (3)
  • Accepted Answer

    Monday, October 17 2016, 02:18 PM - #Permalink
    Resolved
    0 votes
    I fixed this by uninstalling and re-installing the app
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 17 2016, 02:07 PM - #Permalink
    Resolved
    0 votes
    Hi Nick

    Oct 17 15:50:34 gateway snort[1652]: Initializing rule chains...
    Oct 17 15:50:34 gateway snort[1652]: FATAL ERROR: /etc/snort.d/rules/gpl/scan.rules(2) Undefined variable in the string: $EXTERNAL_NET.
    Oct 17 15:50:34 gateway snort: Starting snort: [FAILED]


    Seems like variables are not being correctly defined - I presume this config should be automotic and not have to be defined manually?
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 16 2016, 03:24 PM - #Permalink
    Resolved
    0 votes
    Have a look at the snort log and/or /var/log/messages. There is probably a better error description there. Any error in the rules tends to make snort fall over completely.

    If you are downloading the rules from Emerging Threats make sure you use the open-nogpl rules or you risk duplicate rule numbers which will cause snort to fall over.
    The reply is currently minimized Show
Your Reply