Snort mailing list archives
FW: FW: ERROR: OpenPcap
From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 19 Jun 2002 15:09:31 -0700
Mike, It sometimes takes a few minutes to start receiving the alerts. You can add this to your local.rules file (be sure to take the hash mark out in front of the include for that in Snort.conf) and you will get all kinds of alerts to your database. When your done testing, be sure to place the hash mark back in your snort.conf in front of the include statement for local.rules, or your database will grow, rather quickly. alert tcp any any <> any any (msg:"alert-local test";) The line works as far as I know. It has, in the past without quotes around it? Let me know if placing the quotes around it fixed it and I will revise my docs. Send me a copy of your actual line. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Mike Balzotti [mailto:mike.balzotti () worldwidepackets com] Sent: Wednesday, June 19, 2002 2:40 PM To: Michael Steele Subject: RE: [Snort-users] FW: ERROR: OpenPcap Probably don't miss as many as me :) Ok I thought it was working, but.... "At that same command prompt type: Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache Group\Apache\htdocs\logs -ix Note: -ix (x is the number of the NIC to place the Snort sensor on) Note: If there were no errors produced then Snort should have created an Alert.ids file in the C:\Program Files\Apache Group\Apache\htdocs\logs folder." I do not get any errors any longer but I also don't get the Alert.ids file. Did I screw something up pretty bad? By the way the adapter that I am using is 1. I used your test to figure it out. Thanks- Mike -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Wednesday, June 19, 2002 2:38 PM To: Mike Balzotti Cc: Chris Reid Subject: RE: [Snort-users] FW: ERROR: OpenPcap All; I always miss the easy ones! It was not only marked once, but twice! :-) Next.. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Mike Balzotti [mailto:mike.balzotti () worldwidepackets com] Sent: Wednesday, June 19, 2002 1:37 PM To: Chris Reid; Michael Steele Subject: RE: [Snort-users] FW: ERROR: OpenPcap Ok yeah that worked. Thanks for the fast reply. I knew it was something stupid that I was doing. Mike -----Original Message----- From: Chris Reid [mailto:chris.reid () codecraftconsultants com] Sent: Wednesday, June 19, 2002 1:23 PM To: Michael Steele; snort-users () lists sourceforge net Cc: Mike Balzotti Subject: Re: [Snort-users] FW: ERROR: OpenPcap Mike, Take a closer look at the command line. There's a space between "Program" and "Files", and another space between "Apache" and "Group". Put the whole path after -l in double quotes. Chris Reid ----- Original Message ----- From: "Michael Steele" <michaels () silicondefense com> To: <snort-users () lists sourceforge net> Sent: Wednesday, June 19, 2002 1:26 PM Subject: [Snort-users] FW: ERROR: OpenPcap
Mike, Use Snort -W to get a list of adapters. Say you only have one adapter, so it should show your adapter in location 1. CD to your snort folder and type Snort -v -i1 and that will allow snort to sniff on adapter 1. After doing this you should see all kinds of traffic in the command window, if not go to your browser and generate some traffic. Let me know how things go. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Mike Balzotti [mailto:mike.balzotti () worldwidepackets com] Sent: Wednesday, June 19, 2002 11:41 AM To: michaels () silicondefense com Subject: ERROR: OpenPcap I am trying to install snort from your documentation. Upon testing to make sure it is working I get an error. The test I am running is Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache Group\Apache\htdocs\logs -ix where is x = 1 The snort -v -x1 works fine as far as I can tell. The error I get on the fist is as fallows C:\Snort\Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache Group\Apache\htdocs\logs -ix log directory = C:\Program Initializing Network Interface \ ERROR: OpenPcap() FSM compilation failed: parse error PCAP command: Files\Apache Group\Apache\htdocs\logs -i2 Fatal Error, quitting.. Thanks for your help in this. Mike Balzotti Network Systems Technician II World Wide Packets <http://www.worldwidepackets.com> 1-509-242-9411
------------------------------------------------------------------------ -- --
Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: ERROR: OpenPcap Michael Steele (Jun 19)
- Re: FW: ERROR: OpenPcap Chris Reid (Jun 19)
- <Possible follow-ups>
- FW: FW: ERROR: OpenPcap Michael Steele (Jun 19)
- FW: FW: ERROR: OpenPcap Michael Steele (Jun 19)