Re: First time in NIDS mode, and...

[John Sage <jsage () finchhaven com>]

First, thanks to Jeff, Joshua, Subba and John for your responses.

John Sage wrote:
>
> Just got snort on; works great in packet logging mode; now I'm moving on
> to NIDS mode and I'm getting this:
>
> from logcheck:
> May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem
> :
> May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: 
webcgi-lib


What I did here was to add the full path as a prefix to all the rules
in snort.conf:

/usr/local/snort-1.7/webcgi-lib

and so on...


> May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode
> May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode

Subba:

If I'm not mistaken, promiscuous mode is irrelevant for a ppp connection
specifically because it's point-to-point -- I'm actually not concerned
about this...


> command line (run from the script that sets up ipchains):
>
> /usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c
> /usr/local/snort-1.7/snort.conf


The script that runs snort is in /etc/rc.d but in it I specify the full
path to the snort binary in /usr/bin, and to the snot^H (crikeys I'm
tired of typing "snotr".. ;-) snort.conf, which is in the installation
directory /usr/local/snort-1.7

Thanks for all your help..

..now I gotta figure out why snort doesn't seem to be logging anything.

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users