Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: the most cryptic fsck'ing thing...

From: John Sage <jsage () finchhaven com>
Date: Sun, 20 May 2001 19:33:45 -0700
Fyodor:

In a word, yes, /var/log/snort is there..

Actually, snort works great looking at eth0. It sees my rules, etc etc..
There seem to be issues with ppp0, although, here's a snip from the snort archives from just last month. 

This is the end of the thread:

> From: centipede (centiped () netvision net il)
> Date: Wed Apr 18 2001 - 16:46:04 CDT



Hi,

things are going on, slowly but still.
I've built the new snort 1.8 beta 2 , and used the --enable-debug option.
It seems that things are going all quite good, and $ppp0_ADDRESS is assiged
my.ip.my.ip/255.255.255.255 .
The progress I've had it when running snort regularly, not as a daemon.
it worked ! running it as daemon seems to be my problem so meanwhile
I'm gonna
use it regularly,
i.e. snort -bla -bla -bla & >/dev/null
or something.
any suggestion why could the -D be the problem ?
Is there a better way to run it otherwise than I've mentioned ?

thanks.
centipede.

Fyodor wrote:


On Sun, Apr 15, 2001 at 08:09:45PM +0300, centipede wrote:

<snip>
So presently I'm going to put on the latest libpcap and --what?-- the 1.8 beta of snort and see what happens.. 

Thanks for your response; sorry my post was so cranky...

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."

Fyodor wrote:


does your /var/log/snort/ directory exist?

On Sat, May 19, 2001 at 11:22:04AM -0700, John Sage wrote:


At the risk of seeming like a total idiot (at this point I don't care ;-)
Snort has got to be the most cryptic fsck'ing thing to get running I've ever seen!
Using this command line in /etc/rc.d/rc.firewall.strong (which runs when ppp0 comes up): 

/usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf

and *only* this in /usr/local/snort-1.7/snort.conf:
(there's no fancy stuff... they're all commented out)

#
var HOME_NET 192.168.1.0/24

and *only* my local rules:

# local rules
include /usr/local/snort-1.7/tcp-local-lib
include /usr/local/snort-1.7/udp-local-lib
include /usr/local/snort-1.7/icmp-local-lib
Which have the same permissions as everything else, and which are nothing more than: 


log tcp any any -> $HOME_NET any (msg:"TCP packet";)

log udp any any -> $HOME_NET any (msg:"UDP packet";)

log icmp any any -> $HOME_NET any (msg:"ICMP packet";)


(which I *think* should log *everything*...)


OK: So, I dial up, and the firewall comes up, and from ps ax I get:
26905 ? S 0:00 /usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf 

and this, brand new, in /var/log/snort,

[root@sparky /var/log/snort]# ls -lat
total 10
drwxr-xr-x    2 root     root         1024 May 19 10:48 .
-rw-------    1 root     root            0 May 19 10:48 alert
-rw-------    1 root     root            0 May 19 10:48 snort-0519 () 1048 log
and nothing ever gets logged or written here, no matter what kind of packets come in or how long I wait. 

So, when I add to snort.conf:

#
output log_tcpdump: /var/log/snort/snort.tcpdump

Which is *exactly* what is in the FAQ, I get:
May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such file or 
directory

What's that all about?

Is that why nothing's logging? (OK: well, duh..)

So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file or
directory" and why do I *have* to fix it, when this was just a plain vanilla, box-stock install right from the instructions in INSTALL? 

Finally, how can I dump the current active variables?

Is there something like "echo $HOME_NET"?

Thanks loads,

- John



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: