最开始是关snort的时候不小心直接用了sudo pkill -9 snort ,之后不管再想用就各种显示 command not found,然后我去/usr/local/bin里重新启动snort,之后启动报错说ERROR: /etc/snort/rules//local.rules(2) Content data needs to be enclosed in quotation marks (")!
我又去snort.conf里确认了一下路径
var RULE_PATH /etc/snort/rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
注释掉snort.conf里面自动加载规则
sudo sed -i 's/include $RULE_PATH/#include $RULE_PATH/' /etc/snort/snort.conf
这终于运行了,然后我做了测试,结果/var/log/snort/alert里一直没显示,我还以为规则错了
alert icmp any any -> any any (dsize:>500; reference:arachnids,246; classtype:bad-unknown; rev:4; msg: “ Large ICMP Packet ”; )
结果就我发现/var/log/snort里没运行一次都出现一个奇怪的日志(?)文件,里面这样的,这要怎么办啊TAT
