Re: OpenPcap() error

[Robert Cole <robert.cole () support4linux com>]

> I've actually had the same problems with config parameter within the snort
> conf. Andrew knows about it. you can specifiy -u and -g on the command
> line and -D for daemon mode. It would be nice to just snort -c
> /etc/snort.conf without all those command line args.. but :)

Well I believe I have confirmed a bug after many many hours of testing and 
trying today.

After I got your email Alberto I decided to come up with a very simple command 
line from the 1.9.1 manual and use it to test with. Here's what I used:

snort -de -l /var/log/snort

and 

snort -de -l /var/log/snort -c /etc/snort/snort.conf

For the testing I decided to go ahead and load up the ip on the eth0 interface 
instead of just activating it and logging via stealth mode. The ip for the 
test is 192.168.0.111/24

My workstation address is 192.168.0.12/24

My snort.conf file looks like this:

config daemon
config set_uid: snort
config set_gid: snort

var EXTERNAL_NET any

config dump_payload
config dump_chars_only
config logdir: /var/log/snort
config interface:eth0
config reference_net: 192.168.0.0/24

preprocessor frag2

log udp 192.168.0.12/32 any -> 192.168.0.111/32 514 logto: ws1.log ;

I ran snort with the -c param in it and started a ping on my workstation to 
the snort server and checked the /var/log/snort directory for results. 
Nothing.

I stopped snort and the ping and started it WITHOUT the -c param and started 
up the ping again and checked the /var/log/snort directory and POOF! I have a 
192.168.0.111 and 192.168.0.12 directories and PACKET_NONIP alert and ARP 
files!!!

So one by one I comment out each and every line in my /etc/snort/snort.conf 
file and test after each one until I'm down to them ALL commented out!! I 
delete all the files and directories after each and every test to make sure 
the /var/log/snort directory is clear. And even then snort refuses to log 
anything if the -c param is specified!!!

There are no scripts involved here just running snort the binary and command 
line params.

Bottom line here I think is -c is BADLY broken!

Here are my compiler directives when snort was compiled in case that is an 
issue: CFLAGS="-march=pentium2 -O2 -pipe -fomit-frame-pointer"

Another problem I just tried is all of the above without an IP assigned to the 
interface. I got zero logging. At one time earlier today I had it logging 
without an IP but with all this fuss I've gone through so far I don't 
remember what I did to get it working. The static arp entry is still in my 
workstation and the switch has a link to the logger even without an IP and a 
look at the switch mac table shows it associated with the correct port so I'm 
all good there. Oh well that's secondary at this point.

-c is a problem all the way around right now.

Any ideas?

Robert




-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users