RE: setsockopt: Bad file descriptor

[Ernie Dipko <edipko () printcafe com>]

Thanks much for your input....

I did pull down the new libpcap as you mentioned...but I wasn't recompiling
snort.  When I did the problem went away..

Thanks Again
Ernie


-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov] 
Sent: Wednesday, January 02, 2002 5:18 PM
To: Ernie Dipko
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] setsockopt: Bad file descriptor

On Wed, Jan 02, 2002 at 11:31:06AM -0500, Ernie Dipko wrote:
> Hi all...Happy new year...
>  
> I am having a problem issuing the following command:
>  
> snort -N -A none -p -T -r /usr/local/demarc/cgi/stub_traffic_file -l
> /usr/local/demarc/tmp -c /usr/local/demark/tmp/snort.conf 2>&1
>  
> The command replies with:
>             
> TCPDUMP file reading mode.
> Reading network traffic file from
"/usr/local/demark/cgi/stub_traffic_file"
> file.
> Snaplen = 96
> Setsockopt: Bad file descriptor

Did you capitalize snaplen and setsockopt?  Cause my version of snort "same
as yours" does not.  Actually, not a lot of help here, but it looks like you
need to check your sources.

I pulled down http://www.tcpdump.org/release/libpcap-0.6.2.tar.gz and did
not find "Setsockopt:" either.

The only setsockopt: error is in live_open_new which seems at odds with the
-r option.

  I get this (as unpriv user) using your conf file (which had no rules):

$ /data/pw/bin/snort -N -A none -p -T -r /var/log/snort/lastnite -l
/var/log/snort -c /etc/snort/snort.conf
Log directory = /var/log/snort

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "/var/log/snort/lastnite" file.
snaplen = 1514
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Using LOCAL time
Using LOCAL time
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!


============================================================================
===

Snort processed 0 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
============================================================================
===

TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0         
============================================================================
===

$ 

>  
>  
> Can anyone help?
>  
> I am on RedHat Linux 7.1, (2.4.9-12 kernel), libpcap-0.6.2, snort 1.8.3
> (Build 88)
> Thanks 
> Ernie
>  
>  
> I don't think it matters, but here is the snort.conf file I was using:
>  
> # NOTE:
> # This snort.conf file has been automatically generated for you
> # in order to quickly bring a new snort/DEMARC sensor online.
> # This is BY NO MEANS a list of all options availible to you
> # from a properly optimized snort.conf file.
> #
> # Once your sensor is online, and you are able to control it from
> # the DEMARC web interface, please go to http://snort.sourcefire.com/
> # to download the sample snort.conf file which you can then customize
> # to fit the needs of your network.
>  
>  
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS $HOME_NET
>  
> preprocessor defrag
> preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: 10.10.1.1 10.10.1.116
> output database: log, mysql, user=snort dbname=snort password={my
password}
> host=127.0.0.1 sensor_name=netsniffer1
>  
>  
> #BEGIN RULES:
>  
>  

-- 
Phil Wood, cpw () lanl gov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users