Snort mailing list archives

Re: the most cryptic fsck'ing thing...

From: John Sage <jsage () finchhaven com>
Date: Sun, 20 May 2001 19:44:19 -0700

Erek:

Erek Adams wrote:

On Sat, 19 May 2001, John Sage wrote:

At the risk of seeming like a total idiot (at this point I don't care ;-)


Idiot?  No, I've already won that title. :)


heh..

Snort has got to be the most cryptic fsck'ing thing to get running I've
ever seen!


Yeppers.  It has a few 'things' that make it fun to setup.


Actually, snort's working great, now, if all I want to do is look at eth0 ;-)

Most of my problems *now* seem to be pointing toward a ppp0 issue.

There's a thread in the snort archives from last month suggesting that
the 1.8 beta may be the way to go..

http://archives.neohapsis.com/archives/snort/2001-04/0518.html

May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such
file or directory

What's that all about?

Is that why nothing's logging? (OK: well, duh..)


You got it in one guess! ;-)

Actually...  If I were to guess at it, I'd say that it's a file/directory
problem.  Take a look and make sure that /var/log/snort exists, and that the
user that snort is running as has write permissions to it.  Also check and
make sure that the /var/log/snort/tcpdump.log file exists and has writeable
permissions.


I think you are right.. been fiddling with so much, I forgot what exactly
was wrong with that particular issue.

I think I had too much in my snort.conf -- I had the file name and not just the
path... or something like that. Or I was alerting, but not logging, or logging
but not alerting, or somesuch ;-)

That's fixed. Now I gotta deal with the ppp0 issue..

If you are on Solaris you can use 'truss' to find out where/why it's dying.
I had one of my Linux geek friends tell me that there is something called
'strace' for Linux that does almost the same thing...


I'm running Linux.. strace: I'lllook into that.

Finally, how can I dump the current active variables?

Is there something like "echo $HOME_NET"?



Not to my knowledge.  I usually just grep thru the snort.conf for "$" to find
any variables.

Hope this helps!


Thanks for your reply; sorry my post was so cranky..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

the most cryptic fsck'ing thing... John Sage (May 19)
- Message not available
  - Re: the most cryptic fsck'ing thing... John Sage (May 20)
- <Possible follow-ups>
- Re: the most cryptic fsck'ing thing... John Sage (May 20)