3
1
I have been trying to get snort IDS to work, but I having some difficulty. When I run snort -c /etc/snort/snort.conf -l /var/log/snort I keep getting this error.
Initializing rule chains... Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated; use detection_filter instead. ERROR: /etc/snort/rules/community-virus.rules(19) => !any is not allowed
Any help would be greatly appreciated.
Itchy Nekotorych
Posted 2012-08-02T15:14:22.723
Reputation: 141
4
Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated
Just a warning. It should still work, but in the future this rule may stop working as written.
ERROR: /etc/snort/rules/community-virus.rules(19) => !any is not allowed
You have rules utilizing a variable that is being negated. In a fresh install, this is often seen when you fail to set a range for $HOME_NET in your snort.conf. By default it is set to:
ipvar HOME_NET any
So if a rule uses !$HOME_NET, (which many VRT rules do) snort throws an error. Resolution can be as simple as setting the subnet for your home network. For example:
ipvar HOME_NET 192.168.1.1/24
J.T.S.
Posted 2012-08-02T15:14:22.723
Reputation: 83
0
Can you paste the following lines in from your rules files? It appears that there are problems on lines 42 and 19 (respectively).
lines 30-50 from dos.rules
lines 10-30 from community-virus.rules
ABashore
Posted 2012-08-02T15:14:22.723
Reputation: 535