Snort mailing list archives
Re: the most cryptic fsck'ing thing...
From: John Sage <jsage () finchhaven com>
Date: Sun, 20 May 2001 19:44:19 -0700
Erek: Erek Adams wrote:
On Sat, 19 May 2001, John Sage wrote:At the risk of seeming like a total idiot (at this point I don't care ;-)Idiot? No, I've already won that title. :)
heh..
Snort has got to be the most cryptic fsck'ing thing to get running I've ever seen!Yeppers. It has a few 'things' that make it fun to setup.
Actually, snort's working great, now, if all I want to do is look at eth0 ;-) Most of my problems *now* seem to be pointing toward a ppp0 issue. There's a thread in the snort archives from last month suggesting that the 1.8 beta may be the way to go.. http://archives.neohapsis.com/archives/snort/2001-04/0518.html
May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such file or directory What's that all about? Is that why nothing's logging? (OK: well, duh..)You got it in one guess! ;-) Actually... If I were to guess at it, I'd say that it's a file/directory problem. Take a look and make sure that /var/log/snort exists, and that the user that snort is running as has write permissions to it. Also check and make sure that the /var/log/snort/tcpdump.log file exists and has writeable permissions.
I think you are right.. been fiddling with so much, I forgot what exactly was wrong with that particular issue. I think I had too much in my snort.conf -- I had the file name and not just the path... or something like that. Or I was alerting, but not logging, or logging but not alerting, or somesuch ;-) That's fixed. Now I gotta deal with the ppp0 issue..
If you are on Solaris you can use 'truss' to find out where/why it's dying. I had one of my Linux geek friends tell me that there is something called 'strace' for Linux that does almost the same thing...
I'm running Linux.. strace: I'lllook into that.
Finally, how can I dump the current active variables? Is there something like "echo $HOME_NET"?Not to my knowledge. I usually just grep thru the snort.conf for "$" to find any variables. Hope this helps!
Thanks for your reply; sorry my post was so cranky.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- the most cryptic fsck'ing thing... John Sage (May 19)
- Message not available
- Re: the most cryptic fsck'ing thing... John Sage (May 20)
- Message not available
- <Possible follow-ups>
- Re: the most cryptic fsck'ing thing... John Sage (May 20)