Arch Linux

rafdre

Member

From: Gdansk

Registered: 2013-09-21

Posts: 76

SNORT configuration issue - white_list.rules Error

Hello all,

for better protection I decided to configure SNORT on my PC, which I use as server.
In the begining I had some issue, but solved the with help of this post https://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10.
I downloaded the rules from www.snort.org and stored them in/etc/snort/rules

The only remaining issue is with this:
after I start "snort -c /etc/snort/snort.conf" I get this error

..........
Reputation config: 
ERROR: /etc/snort/snort.conf(515) => Unable to open address file /etc/snort/rules/white_list.rules, Error: No such file or directory
Fatal Error, Quitting..

I have checked the folder and rules I downloaded and indeed this one is missing (white_list.rules).
is the any template which I can use?

Can somebody help me to solve this?

regards
Rafal

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,424

Website

Re: SNORT configuration issue - white_list.rules Error

Did you try commenting that line in your conf?

Why are you using an ancient Ububtu tutorial; there is a wiki page: https://wiki.archlinux.org/index.php/Sn … figuration

Moving to NC.

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

rafdre

Member

From: Gdansk

Registered: 2013-09-21

Posts: 76

Re: SNORT configuration issue - white_list.rules Error

thats how I now tried to solve the issue.

First place is definition of the path:

var WHITE_LIST_PATH rules

When I commented this line I got error:

ERROR: /etc/snort/snort.conf(515) Undefined variable name: WHITE_LIST_PATH.

therefore I found second place in config file:

Second place look like this:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules 

so I changed it to

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   #whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/blacklist.rules 

As you see there name for the file with black list rules looks now different than before. This is becuase I nopticed that's the name I see in that directory is different than proposed in config file.

The next issue I faced was:

Processing blacklist file /etc/snort/rules/blacklist.rules
  (22) => Invalid address: 'alert udp $HOME_NET any 

This error is gone when I disabled black list as well, but I think this is not good approach.
So how I can solve such error like "Invalid address: 'alert udp $HOME_NET any " ?

My variables in config file look like this:

# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

And last question is about usage of rules.
On SNORT home page I see cummunity rules plus another package (available after registration) which contains a lot of rules.
Actually I downloaded both, but I think there is redundancy:

When I have this line in config (plus other rules)

 include $RULE_PATH/community.rules 

I get warnings like this:

WARNING: /etc/snort/rules/malware-cnc.rules(1764) GID 1 SID 28541 in rule duplicates previous rule. Ignoring old rule.

So the question is simple: does any more experience person know why we need community.rules and what is a usage comapred to the other rules?