Re: OpenPcap() error

[Erek Adams <erek () snort org>]

On Tue, 18 Mar 2003, Robert Cole wrote:

[...snip...]

> /etc/group:snort:x:407:snort
> /etc/passwd:snort:x:1000:407:snort:/var/log/snort:/dev/false
> /etc/shadow:snort:!:12128:0:99999:7:::

Ok, good.  That means there is the user and the group.  One possible
eliminated.

[...snip...]

> It does exit cleanly

Then there is no problem with your config.

> It does except when it sits there logging to the screen taking the tty
> session. Loggin onto another term and doing a ps shows me that snort is
> running as root.

That's expected.  Exactly as planned....

> Also if I remove your output alert_syslog command I get this error:
>
> Mar 18 11:03:28 logger snort: FATAL ERROR: ERROR: OpenPcap() device any
> open:  socket: Operation not permitted
> Mar 18 11:09:03 logger snort: WARNING: OpenPcap() device eth0 network
> lookup:  eth0: no IPv4 address assigned
> Mar 18 11:09:03 logger snort: FATAL ERROR: ERROR in OpenAlertFile() =>
> fopen()  alert file /var/log/snort/alert: No such file or directory
>
> The directory exists and snort.snort has access to it.
>
> I haven't been using the system script to start snort just the binary.

Edit your .conf file so that there is a space following each colon.  From
what you sent earlier, you have:

        <bleh>:<foo>

Try it as:

        <bleh>: <foo>

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users