Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: First time in NIDS mode, and...

From: "John Berkers" <berjo () ozemail com au>
Date: Thu, 17 May 2001 09:32:43 +1000
Yes. If I recall correctly the 1.7 distro has its config file load each of
the includes from /etc/snort.  I notice that the command line loads the
snort.conf from /usr/local/snort-1.7, which would result in it not being
able to find the necessary include files.

John

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Scott, Joshua
Sent: Thursday, 17 May 2001 2:42
To: 'Oxenreider, Jeff'; 'John Sage'; Snort Users
Subject: RE: [Snort-users] First time in NIDS mode, and...


Make sure that either you run Snort from the directory that has all the
rules files and your snort.conf, or make sure that your snort.conf has the
full path to each of your rules files.
-----Original Message-----
From: Oxenreider, Jeff [mailto:jox () safelite com]
Sent: Wednesday, May 16, 2001 7:56 AM
To: 'John Sage'; Snort Users
Subject: RE: [Snort-users] First time in NIDS mode, and...


I've seen this happen to me on occasion, and if I open up the snort.conf
file, in "vi" and then do a "write quit", thereby updating the timestamp on
the file, and rerun snort, it fires right up.  I don't have an explanation
for the action and it hasn't been a burden on me too much and I just chalked
it up to something I was doing wrong so never posted any sort of a bug
report on it.
Bad Jeff, Bad.....


Jeffrey A. Oxenreider
Senior Network/Security Engineer
Safelite Glass Corp


-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Wednesday, May 16, 2001 10:27 AM
To: Snort Users
Subject: [Snort-users] First time in NIDS mode, and...


Just got snort on; works great in packet logging mode; now I'm moving on
to NIDS mode and I'm getting this:
from logcheck:
May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem
:
May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: webcgi-lib
:
May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode
May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode
command line (run from the script that sets up ipchains):
/usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c
/usr/local/snort-1.7/snort.conf
snort.conf is the box-stock one that came with the 1.7 distro.
Question:
Why can't it load webcgi-lib? It's there, etc etc..
I'm getting no other messages about anything.
ps ax shows snort running in daemon mode with that command line, and
there is a zero-length file at  /var/log/snort/portscan.log
Thnx..
- John
--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: