Snort mailing list archives
Re: the most cryptic fsck'ing thing...
From: John Sage <jsage () finchhaven com>
Date: Sun, 20 May 2001 19:33:45 -0700
Fyodor: In a word, yes, /var/log/snort is there.. Actually, snort works great looking at eth0. It sees my rules, etc etc..There seem to be issues with ppp0, although, here's a snip from the snort archives from just last month.
This is the end of the thread: > From: centipede (centiped () netvision net il) > Date: Wed Apr 18 2001 - 16:46:04 CDT
Hi, things are going on, slowly but still. I've built the new snort 1.8 beta 2 , and used the --enable-debug option. It seems that things are going all quite good, and $ppp0_ADDRESS is assiged my.ip.my.ip/255.255.255.255 . The progress I've had it when running snort regularly, not as a daemon. it worked ! running it as daemon seems to be my problem so meanwhile I'm gonna use it regularly, i.e. snort -bla -bla -bla & >/dev/null or something. any suggestion why could the -D be the problem ? Is there a better way to run it otherwise than I've mentioned ? thanks. centipede. Fyodor wrote:On Sun, Apr 15, 2001 at 08:09:45PM +0300, centipede wrote:
<snip>So presently I'm going to put on the latest libpcap and --what?-- the 1.8 beta of snort and see what happens..
Thanks for your response; sorry my post was so cranky... - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Fyodor wrote:
does your /var/log/snort/ directory exist? On Sat, May 19, 2001 at 11:22:04AM -0700, John Sage wrote:At the risk of seeming like a total idiot (at this point I don't care ;-)Snort has got to be the most cryptic fsck'ing thing to get running I've ever seen!Using this command line in /etc/rc.d/rc.firewall.strong (which runs when ppp0 comes up):/usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf and *only* this in /usr/local/snort-1.7/snort.conf: (there's no fancy stuff... they're all commented out) # var HOME_NET 192.168.1.0/24 and *only* my local rules: # local rules include /usr/local/snort-1.7/tcp-local-lib include /usr/local/snort-1.7/udp-local-lib include /usr/local/snort-1.7/icmp-local-libWhich have the same permissions as everything else, and which are nothing more than:log tcp any any -> $HOME_NET any (msg:"TCP packet";) log udp any any -> $HOME_NET any (msg:"UDP packet";) log icmp any any -> $HOME_NET any (msg:"ICMP packet";) (which I *think* should log *everything*...) OK: So, I dial up, and the firewall comes up, and from ps ax I get:26905 ? S 0:00 /usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.confand this, brand new, in /var/log/snort, [root@sparky /var/log/snort]# ls -lat total 10 drwxr-xr-x 2 root root 1024 May 19 10:48 . -rw------- 1 root root 0 May 19 10:48 alert -rw------- 1 root root 0 May 19 10:48 snort-0519 () 1048 logand nothing ever gets logged or written here, no matter what kind of packets come in or how long I wait.So, when I add to snort.conf: # output log_tcpdump: /var/log/snort/snort.tcpdump Which is *exactly* what is in the FAQ, I get:May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such file ordirectory What's that all about? Is that why nothing's logging? (OK: well, duh..) So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file ordirectory" and why do I *have* to fix it, when this was just a plain vanilla, box-stock install right from the instructions in INSTALL?Finally, how can I dump the current active variables? Is there something like "echo $HOME_NET"? Thanks loads, - John
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- the most cryptic fsck'ing thing... John Sage (May 19)
- Message not available
- Re: the most cryptic fsck'ing thing... John Sage (May 20)
- Message not available
- <Possible follow-ups>
- Re: the most cryptic fsck'ing thing... John Sage (May 20)