Snort mailing list archives
the most cryptic fsck'ing thing...
From: John Sage <jsage () finchhaven com>
Date: Sat, 19 May 2001 11:22:04 -0700
At the risk of seeming like a total idiot (at this point I don't care ;-)Snort has got to be the most cryptic fsck'ing thing to get running I've ever seen!
Using this command line in /etc/rc.d/rc.firewall.strong (which runs when ppp0 comes up):
/usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf and *only* this in /usr/local/snort-1.7/snort.conf: (there's no fancy stuff... they're all commented out) # var HOME_NET 192.168.1.0/24 and *only* my local rules: # local rules include /usr/local/snort-1.7/tcp-local-lib include /usr/local/snort-1.7/udp-local-lib include /usr/local/snort-1.7/icmp-local-libWhich have the same permissions as everything else, and which are nothing more than:
log tcp any any -> $HOME_NET any (msg:"TCP packet";) log udp any any -> $HOME_NET any (msg:"UDP packet";) log icmp any any -> $HOME_NET any (msg:"ICMP packet";) (which I *think* should log *everything*...) OK: So, I dial up, and the firewall comes up, and from ps ax I get:26905 ? S 0:00 /usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf
and this, brand new, in /var/log/snort, [root@sparky /var/log/snort]# ls -lat total 10 drwxr-xr-x 2 root root 1024 May 19 10:48 . -rw------- 1 root root 0 May 19 10:48 alert -rw------- 1 root root 0 May 19 10:48 snort-0519 () 1048 logand nothing ever gets logged or written here, no matter what kind of packets come in or how long I wait.
So, when I add to snort.conf: # output log_tcpdump: /var/log/snort/snort.tcpdump Which is *exactly* what is in the FAQ, I get:May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such file or
directory What's that all about? Is that why nothing's logging? (OK: well, duh..) So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file ordirectory" and why do I *have* to fix it, when this was just a plain vanilla, box-stock install right from the instructions in INSTALL?
Finally, how can I dump the current active variables? Is there something like "echo $HOME_NET"? Thanks loads, - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- the most cryptic fsck'ing thing... John Sage (May 19)
- Message not available
- Re: the most cryptic fsck'ing thing... John Sage (May 20)
- Message not available
- <Possible follow-ups>
- Re: the most cryptic fsck'ing thing... John Sage (May 20)