snort complains on local.rules

Question

I just installed snort-2.9.7.0 on Fedora 20, and am getting error when running:

% snort -c /etc/snort/snort.conf --dump-dynamic-rules=/tmp
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /etc/snort//etc/snort/rules/local.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/local.rules": No such file or directory.

I do have /etc/snort/snort.conf and here is a relevant snippet:

var RULE_PATH /etc/snort/rules
include $RULE_PATH/local.rules

What could be the reason that it's unable to locate the file? Thanks.

score 1 · Accepted Answer · answered Feb 18 '15 at 19:55

1

Did you by any chance tried:

var RULE_PATH rules
include $RULE_PATH/local.rules

answered Feb 18 '15 at 19:55

Jakov Sosic

5,157
3
22
33

Thanks Jakov, it does help, no complaints about /etc/snort//etc/snort/rules/local.rules However the other thing is that I don't have these rules in /etc/snort/rules installed, I have only community.rules that I downloaded from snort.org. Does this mean, I simply need to leave only "include $RULE_PATH/community.rules" and comment out the rest? – Mark Feb 18 '15 at 20:00
1

Rules selection depends on the things you want to monitor/detect with snort, so it all depends. You can take a look at pulledpork (http://code.google.com/p/pulledpork/) - and download additional rules. But yes, you can safely comment everything you don't want/need/have on your system. – Jakov Sosic Feb 18 '15 at 20:03
I see, the default snort.conf is "one-size-fits-all" case, so it has to be modified according to my needs. Thanks. – Mark Feb 18 '15 at 20:09
1

But it did solve his problem, didn't it? – Jakov Sosic Feb 19 '15 at 04:07

snort complains on local.rules

1 Answers1