Snort mailing list archives

Re: OpenPcap() error

From: Robert Cole <robert.cole () support4linux com>
Date: Tue, 18 Mar 2003 11:46:57 -0800

Ummm...  You've got something wrong on your side.  I'm testing this and
get _no_ errors using those two statements.

      useradd snort
      groupadd snort
[add those two lines to the very top of snort.conf]


The useradd and groupadd statements? They woud fail because of this output you 
requested:

      grep snort /etc/{group,passwd,shadow}


/etc/group:snort:x:407:snort
/etc/passwd:snort:x:1000:407:snort:/var/log/snort:/dev/false
/etc/shadow:snort:!:12128:0:99999:7:::

      snort -T -c /path/to/snort.conf

It will check it's config.  If it's wrong, it will fail.  If it's correct,
it will just cleanly exit.  If that happens....


It does exit cleanly

      snort -c /path/to/snort

Should make it work.


It does except when it sits there logging to the screen taking the tty 
session. Loggin onto another term and doing a ps shows me that snort is 
running as root.

Also if I remove your output alert_syslog command I get this error:

Mar 18 11:03:28 logger snort: FATAL ERROR: ERROR: OpenPcap() device any open:   
socket: Operation not permitted
Mar 18 11:09:03 logger snort: WARNING: OpenPcap() device eth0 network lookup:   
eth0: no IPv4 address assigned
Mar 18 11:09:03 logger snort: FATAL ERROR: ERROR in OpenAlertFile() => fopen() 
alert file /var/log/snort/alert: No such file or directory

The directory exists and snort.snort has access to it.

I haven't been using the system script to start snort just the binary.

Thanks for all your help. It's appreciated :)

Robert


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: OpenPcap() error, (continued)
- Re: OpenPcap() error Robert Cole (Mar 18)
  - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Phil Wood (Mar 19)
    - Re: OpenPcap() error Robert Cole (Mar 19)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Alberto Gonzalez (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Alberto Gonzalez (Mar 21)

(Thread continues...)