Snort mailing list archives

Re: Strange system() problem with snort

From: John Sage <jsage () finchhaven com>
Date: Sun, 30 Dec 2001 10:13:07 -0800

Mark:

I beleive the issue is that -e and ppp links are, if not incompatible,irrelevant.

-e attempts to dump the link-layer data, such as the hardware address ofa NIC in an Ethernet context.

ppp encapsulates IP packets, but the concept of a hardware address, andARP requests, is irrelevant because the link is always and only onepoint to one point.

Each end knows that it's only going to be communicating with one otherend...


...which is why "promiscuity" (heh..) is irrelevant, also.

A ppp link will by it's nature only see traffic destined for your end,not all traffic on the wire, again as in ethernet.

I can start snort with -de -vvv -i ppp0 and I get exactly the samemessage about "no second layer link blah blah blah...." but snort isstill working.



HTH..

- John

--
Computers: they're really nothing but l's and O's



Mark Wormgoor wrote:

Guys,

I have a small problem with starting snort from another program.  I'm
running snort 1.8.3 (from RPM) on a Redhat 7.2 based system.

When I start snort from the command line, it will start just fine:
/usr/sbin/snort -c /etc/snort/snort.conf -D -u snort -g snort -d -e -z
ALL -A fast -m 022 -i ppp0
  Dec 30 09:51:42 ipcop kernel: device ppp0 entered promiscuous mode
  Dec 30 09:51:42 ipcop snort: PID stat checked out ok, PID set to /var/run/
  Dec 30 09:51:42 ipcop snort: Writing PID file to "/var/run/"
  Dec 30 09:51:42 ipcop snort: Initializing daemon mode
  Dec 30 09:51:42 ipcop snort: PID stat checked out ok, PID set to /var/run/
  Dec 30 09:51:42 ipcop snort: Writing PID file to "/var/run/"
  Dec 30 09:51:42 ipcop snort: There's no second layer header available for
this datalink
  Dec 30 09:51:47 ipcop snort: Snort initialization completed successfully,
Snort running

When I start snort from another program, it dies.  The important line here
is 'device ppp0 left promiscuous mode'.  Why is it leaving promiscuous mode
so soon after I start it?
system("/usr/sbin/snort -c /etc/snort/snort.conf -D -u snort -g
snort -d -e -z ALL -A fast -m 022 -i ppp0");
  Dec 30 09:51:17 ipcop kernel: device ppp0 entered promiscuous mode
  Dec 30 09:51:17 ipcop snort: PID stat checked out ok, PID set to /var/run/
  Dec 30 09:51:18 ipcop snort: Writing PID file to "/var/run/"
  Dec 30 09:51:18 ipcop snort: Initializing daemon mode
  Dec 30 09:51:18 ipcop kernel: device ppp0 left promiscuous mode
  Dec 30 09:51:18 ipcop snort: PID stat checked out ok, PID set to /var/run/
  Dec 30 09:51:18 ipcop snort: Writing PID file to "/var/run/"
  Dec 30 09:51:18 ipcop snort: There's no second layer header available for
this datalink
  Dec 30 09:51:23 ipcop snort: Snort initialization completed successfully,
Snort running
  Dec 30 09:51:23 ipcop snort: pcap_loop: recvfrom: Socket operation on
non-socket
  Dec 30 09:51:23 ipcop snort: Snort received signal 3, exiting

Kind regards,


        Mark Wormgoor




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Strange system() problem with snort Mark Wormgoor (Dec 30)
- Re: Strange system() problem with snort John Sage (Dec 30)
  - Re: Strange system() problem with snort Mark Wormgoor (Dec 30)