OSX: Snort: ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory
Note: this answer is composed from a dialog in the comments of the original question.
The problem with the rule directory
From the error it's clear that somewhere (probably in
snort.conf
) there is a ..
, pointing to the wrong path. Based on the error, I'd say that var RULE_PATH ../rules
is in the config file. You should change that either to var RULE_PATH ./rules
or use an absolute path: var RULE_PATH /etc/snort/rules
. You should do this for SO_RULE_PATH
and PREPROC_RULE_PATH
too. So your config now has:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
The problem with outputting data to a database
Since snort 2.9.3.0, direct database output isn't supported anymore. You should use snort's unified output (like this" output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
). You could use Barnyard2 instead to redirect to postgresql. Explaining how to set this up would go (in my opinion) too far for this answer. A basic start can be found here. A far more elaborate explanation (and specific targeted for OSX) can be found here.
Related videos on Youtube
Drew
Updated on September 18, 2022Comments
-
Drew over 1 year
I'm trying to setup and run Snort IDS on mac using this kinda tutorial: https://discussions.apple.com/thread/3370709?start=0&tstart=0
OSX Yosemite (10.10.2); PostgreSQL 9.4.1 (installed with Homebrew) Snort: stable 2.9.7.0 (installed with Homebrew)
When I finally try to star it like this:
$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf
Getting this:
Password: Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory. Fatal Error, Quitting..
The rule is actually on place at
/etc/snort/rules/local.rules
RULE_PATH
is set in/etc/snort/snort.conf
to/etc/snort/rules
So:
$ echo $RULE_PATH /etc/snort/rules
trying this:
$ grep RULE_PATH /etc/snort/snort.conf var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules ...
Well after changing
var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules
to
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules
Getting:
$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database" Fatal Error, Quitting..
Line 741 in
/etc/snort/snort.conf
is:output database: log, postgresql, user=snort password=password dbname=snort host=localhost
So since snort 2.9.3.0 direct database output isn't supported anymore. I should use snort's unified output. I could use Barnyard2 instead to redirect to postgresql.