Snort mailing list archives
RE: setsockopt: Bad file descriptor
From: Ernie Dipko <edipko () printcafe com>
Date: Wed, 2 Jan 2002 22:22:23 -0500
Thanks much for your input.... I did pull down the new libpcap as you mentioned...but I wasn't recompiling snort. When I did the problem went away.. Thanks Again Ernie -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Wednesday, January 02, 2002 5:18 PM To: Ernie Dipko Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] setsockopt: Bad file descriptor On Wed, Jan 02, 2002 at 11:31:06AM -0500, Ernie Dipko wrote:
Hi all...Happy new year... I am having a problem issuing the following command: snort -N -A none -p -T -r /usr/local/demarc/cgi/stub_traffic_file -l /usr/local/demarc/tmp -c /usr/local/demark/tmp/snort.conf 2>&1 The command replies with: TCPDUMP file reading mode. Reading network traffic file from
"/usr/local/demark/cgi/stub_traffic_file"
file. Snaplen = 96 Setsockopt: Bad file descriptor
Did you capitalize snaplen and setsockopt? Cause my version of snort "same as yours" does not. Actually, not a lot of help here, but it looks like you need to check your sources. I pulled down http://www.tcpdump.org/release/libpcap-0.6.2.tar.gz and did not find "Setsockopt:" either. The only setsockopt: error is in live_open_new which seems at odds with the -r option. I get this (as unpriv user) using your conf file (which had no rules): $ /data/pw/bin/snort -N -A none -p -T -r /var/log/snort/lastnite -l /var/log/snort -c /etc/snort/snort.conf Log directory = /var/log/snort --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "/var/log/snort/lastnite" file. snaplen = 1514 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Back Orifice detection brute force: DISABLED Using LOCAL time Using LOCAL time 0 Snort rules read... 0 Option Chains linked into 0 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! ============================================================================ === Snort processed 0 packets. Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ============================================================================ === $
Can anyone help? I am on RedHat Linux 7.1, (2.4.9-12 kernel), libpcap-0.6.2, snort 1.8.3 (Build 88) Thanks Ernie I don't think it matters, but here is the snort.conf file I was using: # NOTE: # This snort.conf file has been automatically generated for you # in order to quickly bring a new snort/DEMARC sensor online. # This is BY NO MEANS a list of all options availible to you # from a properly optimized snort.conf file. # # Once your sensor is online, and you are able to control it from # the DEMARC web interface, please go to http://snort.sourcefire.com/ # to download the sample snort.conf file which you can then customize # to fit the needs of your network. var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: 10.10.1.1 10.10.1.116 output database: log, mysql, user=snort dbname=snort password={my
password}
host=127.0.0.1 sensor_name=netsniffer1 #BEGIN RULES:
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- setsockopt: Bad file descriptor Ernie Dipko (Jan 02)
- Re: setsockopt: Bad file descriptor Phil Wood (Jan 02)
- <Possible follow-ups>
- RE: setsockopt: Bad file descriptor Ernie Dipko (Jan 02)