Intrusion Detection was stopped in my IPCoP, version 1.4.1, a while a go, I tried to start them all three through GUI but Got message fail to start.
I loged in in console of Ipcop.
I checked the existing version of snort, which was older than latest.
root@firewall:/etc/snort/rules # snort --version
snort: unrecognized option `--version'
,,_ -*> Snort! <*-
o" )~ Version 18.104.22.168 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
And when tried to start the snort using this command
root@firewall:~ # snort -c /etc/snort/snort.conf -l /var/log/snort/
I got error that there is error in line # 38 in exploit.rules file located in /etc/snort/rules/ folder.
When I tried to comment the line it gives error on line#39.
Replace the existing rules folder with working one.
For that I installed the latest snort in my laptop, and check the version.
imran@imran-laptop~ $ sudo apt-get install snort-mysql
imran@imran-laptop~ $ snort --version
,,_ -*> Snort! <*-
o" )~ Version 22.214.171.124 (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
and copied the rules folder in to IPcop
imran@imran-laptop~ $ scp '-P 22' exploit.rules email@example.com:/root
Then I make .tar of existing rules folder in IPCoP
root@firewall:/etc/snort/rules # tar -cvf rules.tar .
and replaced the one copied from my laptop and changed the permission to user nobody:nobody
root@firewall:/etc/snort/rules # chown -R nobody:nobody rules
Now IP cop has new rules list, although these rules were from new version of Snort 2.8.6
When I restarted snort again from console with above command, this time no error and it started straight away.
Then I can start and stop from GUI successfully.