Intrusion Detection was stopped in my IPCoP, version 1.4.1, a while a go, I tried to start them all three through GUI but Got message fail to start.
I loged in in console of Ipcop.
I checked the existing version of snort, which was older than latest.
root@firewall:/etc/snort/rules # snort --version
snort: unrecognized option `--version'
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.1.5 (Build 59)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
And when tried to start the snort using this command
root@firewall:~ # snort -c /etc/snort/snort.conf -l /var/log/snort/
I got error that there is error in line # 38 in exploit.rules file located in /etc/snort/rules/ folder.
When I tried to comment the line it gives error on line#39.
Solution
Replace the existing rules folder with working one.
For that I installed the latest snort in my laptop, and check the version.
imran@imran-laptop~ $ sudo apt-get install snort-mysql
imran@imran-laptop~ $ snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.2 (Build 121)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05
 and copied the rules folder in to IPcop
imran@imran-laptop~ $ scp '-P 22' exploit.rules root@10.10.0.1:/root
Then I make .tar of existing rules folder in IPCoP
root@firewall:/etc/snort/rules # tar -cvf rules.tar  .
 and replaced the one copied from my laptop and changed the permission to user nobody:nobody
root@firewall:/etc/snort/rules # chown -R nobody:nobody rules
Now IP cop has new rules list, although these rules were from new version of Snort 2.8.6
When I restarted snort again from console with above command, this time no error and it started straight away.
Then I can start and stop from GUI successfully.
 
 
1 comment:
Your excellent guidelines will be of great help to many. Nice post. I enjoyed reading it. Thanks! Intrusion Detection
Post a Comment