OSX: Snort: ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory
Note: this answer is composed from a dialog in the comments of the original question.
The problem with the rule directory
From the error it's clear that somewhere (probably in
snort.conf) there is a .., pointing to the wrong path. Based on the error, I'd say that var RULE_PATH ../rules is in the config file. You should change that either to var RULE_PATH ./rules or use an absolute path: var RULE_PATH /etc/snort/rules. You should do this for SO_RULE_PATH and PREPROC_RULE_PATH too. So your config now has:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
The problem with outputting data to a database
Since snort 2.9.3.0, direct database output isn't supported anymore. You should use snort's unified output (like this" output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types). You could use Barnyard2 instead to redirect to postgresql. Explaining how to set this up would go (in my opinion) too far for this answer. A basic start can be found here. A far more elaborate explanation (and specific targeted for OSX) can be found here.
Related videos on Youtube
16 : 11
38 : 52
12 : 02
35 : 13
13 : 28
12 : 31
19 : 00
31 : 21
31 : 53
09 : 11
Drew
Updated on September 18, 2022Comments
-
Drew over 1 year
I'm trying to setup and run Snort IDS on mac using this kinda tutorial: https://discussions.apple.com/thread/3370709?start=0&tstart=0
OSX Yosemite (10.10.2); PostgreSQL 9.4.1 (installed with Homebrew) Snort: stable 2.9.7.0 (installed with Homebrew)
When I finally try to star it like this:
$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.confGetting this:
Password: Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory. Fatal Error, Quitting..The rule is actually on place at
/etc/snort/rules/local.rulesRULE_PATHis set in/etc/snort/snort.confto/etc/snort/rulesSo:
$ echo $RULE_PATH /etc/snort/rulestrying this:
$ grep RULE_PATH /etc/snort/snort.conf var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules ...Well after changing
var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rulesto
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rulesGetting:
$ sudo /usr/local/bin/snort -d -e -i en0 -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" ... ERROR: /etc/snort/snort.conf(741) Unknown output plugin: "database" Fatal Error, Quitting..Line 741 in
/etc/snort/snort.confis:output database: log, postgresql, user=snort password=password dbname=snort host=localhostSo since snort 2.9.3.0 direct database output isn't supported anymore. I should use snort's unified output. I could use Barnyard2 instead to redirect to postgresql.