I’ve been trying to implement snort with Nethserv for several days, but I cant get it working.
I get this error when Expert mode is enabled:
FATAL ERROR: /etc/snort/rules/snort.rules(6794) Unknown rule option: 'ssl_version'.
This happens because the ssl prepocessor is disabled, but snort.config on nethserv has no option to enable ssl prepocessor and it says it is not editable.
Also snort process stops on expert mode:
snort dead but subsys locked.
So, if I can’t edit snort.config what should I do to edit snort configurations to enable ssl preprocessor? Do I really need to add it?
See I want to personalize Snort?
I had a look at this on an updated ns7b1.
Near as I can tell, sslv3 is a problem, don’t know why, but once I identified all the rules referencing sslv3 I got a successful snort start.
1:2019415 1:2019416 1:2019417 1:2019418
I also got a successful hit with a test page.
The issue I’m having is that it’s only seeing traffic directed to the NS node, it’s not seeing network traffic to other nodes even though it’s on taps, it’s like the interfaces are not in promisc. I remember it was described as a different snort setup, something through e-smith… I can’t remember, my thought is it’s setup to scan traffic passing through, say as a gateway, ext to int, and so the interfaces aren’t set to promisc, so it can’t work as a standalone ids on taps. Am I right? Can this be an option?