Package: snort
Version: 2.9.2.2-2
Severity: important
First of all, I don't really know much about snort, but installing it
seemed like a good idea at the time. This may be incredibly stupid of
me, and I just don't realize it. That said, the latest package fails to
configure for me, and I can't figure out what to do about it. Attempting
to rule out bad configuration, I purged the old packages so that I would
get a clean install. This is what happens when the package is configured:
# dpkg --configure --pending
Setting up snort (2.9.2.2-2) ...
[warn] Stopping Network Intrusion Detection System : snort[....] - No
running snort instance found ... (warning).
[FAIL] Starting Network Intrusion Detection System : snort (eth0 using
/etc/snort/snort.conf ...ERROR: failed (check /var/log/daemon.log,
/var/log/syslog and /var/log/snort/)) failed!
invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
snort
There is nothing to see in /var/log/snort other than an empty "alerts"
file. There are plenty of messages in daemon.log and syslog (they appear
to be the same messages), but none of them look like obvious errors to
me. The last few were:
Jun 16 22:35:07 localhost snort[23531]: rpc_decode arguments:
Jun 16 22:35:07 localhost snort[23531]: Ports to decode RPC on: 111
32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
Jun 16 22:35:07 localhost snort[23531]: alert_fragments: INACTIVE
Jun 16 22:35:07 localhost snort[23531]: alert_large_fragments: INACTIVE
Jun 16 22:35:07 localhost snort[23531]: alert_incomplete: INACTIVE
Jun 16 22:35:07 localhost snort[23531]: alert_multiple_requests:
INACTIVE
Jun 16 22:35:07 localhost snort[23531]: FTPTelnet Config:
Jun 16 22:35:07 localhost snort[23531]: GLOBAL CONFIG
Jun 16 22:35:07 localhost snort[23531]: Inspection Type: stateful
Jun 16 22:35:07 localhost snort[23531]: Check for Encrypted
Traffic: YES alert: NO
Jun 16 22:35:07 localhost snort[23531]: Continue to check
encrypted data: NO
Jun 16 22:35:07 localhost rsyslogd-2177: imuxsock begins to drop
messages from pid 23531 due to rate-limiting
If I start snort in self-test mode I get a lot of output, with the last
couple of lines being:
DNP3 config:
Memcap: 262144
Check Link-Layer CRCs: ENABLED
Ports:
20000
Reputation config:
ERROR: /etc/snort/snort.conf(512) => Unable to open address file
/etc/snort/../rules/white_list.rules, Error:
Fatal Error, Quitting..
But I don't know if that error is what's preventing configuration, or if
the error happens because the package isn't configured. I can't find any
package that provides the file, so I figured that perhaps it's
automatically generated or something like that.
Please let me know if there's any information I should provide to help
diagnosing the problem.
Regards,
Torbjörn Andersson
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages snort depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.43
ii libc6 2.13-33
ii libdaq0 0.6.2-2
ii libdumbnet1 1.12-3.1
ii libgcrypt11 1.5.0-3
ii libgnutls26 2.12.20-1
ii libpcap0.8 1.3.0-1
ii libpcre3 1:8.30-5
ii libprelude2 1.0.0-9
ii libuuid1 2.20.1-5
ii logrotate 3.8.1-4
ii net-tools 1.60-24.1
ii rsyslog [system-log-daemon] 5.8.11-1+b1
ii snort-common 2.9.2.2-2
ii snort-common-libraries 2.9.2.2-2
ii snort-rules-default 2.9.2.2-2
ii zlib1g 1:1.2.7.dfsg-11
Versions of packages snort recommends:
ii iproute 20120521-2
Versions of packages snort suggests:
pn snort-doc <none>
-- debconf information:
* snort/startup: boot
snort/please_restart_manually:
* snort/stats_treshold: 1
* snort/address_range: 192.168.0.0/16
snort/options:
snort/invalid_interface:
* snort/interface: eth0
* snort/stats_rcpt: d91tan
* snort/send_stats: true
snort/config_parameters:
snort/disable_promiscuous: false
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
