Snort mailing list archives
RE: 1.9.0beta4
From: "Gray . Brendan" <bgray2 () drc com>
Date: Wed, 14 Aug 2002 14:08:08 -0400
I'm now running 1.9.0beta4 as snort -A full -d and it appears to be working. Its logging alerts, and eth0 is staying in promisc mode. Brendan -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: Wednesday, August 14, 2002 1:21 PM To: Gray . Brendan Subject: Re: [Snort-users] 1.9.0beta4 "Gray . Brendan" <bgray2 () drc com> writes:
I'm testing 1.9.0beta4 and its not working. Well, to be more specific,
I'm
running RedHat 7.3 on a x86 with all the updates, and when I start Snort (snort -A full -d -D) snort will run, but nothing gets logged
Take off the -D option and see what error it reports. Please reply to snort-users as others might have the same problem.
. I'm looking at the /var/log/messages file, and it seems that when I start snort, eth0 goes into promiscuous mode, and then leaves promisc mode almost immediately thereafter. Is it a bug or a problem with my system (libpcap maybe?)? I originally had snort-1.8.6 installed via demarc on the box. Demarc was turned off (psd -k) and the new snort binary has replaced the snort-1.8.6 binary. Here's a brief cut & paste from /var/log/messages> Aug 14 12:45:35 testbox kernel: device eth0 entered promiscuous mode Aug 14 12:45:35 testbox snort: using config file ./snort.conf Aug 14 12:45:35 testbox snort: http_decode arguments: Aug 14 12:45:35 testbox snort: Unicode decoding Aug 14 12:45:35 testbox snort: IIS alternate Unicode decoding Aug 14 12:45:35 testbox snort: IIS double encoding vuln Aug 14 12:45:35 testbox snort: Flip backslash to slash Aug 14 12:45:35 testbox snort: Include additional whitespace
separators
Aug 14 12:45:35 testbox snort: Ports to decode http on: 80 Aug 14 12:45:35 testbox snort: telnet_decode arguments: Aug 14 12:45:35 testbox snort: Ports to decode telnet on: 21 23 25 119 Aug 14 12:45:35 testbox snort: Conversation Config: Aug 14 12:45:35 testbox snort: KeepStats: 0 Aug 14 12:45:35 testbox snort: Conv Count: 32000 Aug 14 12:45:35 testbox snort: Timeout : 60 Aug 14 12:45:35 testbox snort: Allowed IP Protocols: Aug 14 12:45:35 testbox snort: All Aug 14 12:45:35 testbox snort: Aug 14 12:45:35 testbox snort: Portscan2 config: Aug 14 12:45:35 testbox snort: log: /var/log/snort/scan.log Aug 14 12:45:35 testbox snort: scanners_max: 3200 Aug 14 12:45:35 testbox snort: targets_max: 5000 Aug 14 12:45:35 testbox snort: target_limit: 5 Aug 14 12:45:35 testbox snort: port_limit: 20 Aug 14 12:45:35 testbox snort: timeout: 60 Aug 14 12:45:37 testbox snort: Initializing daemon mode Aug 14 12:45:37 testbox snort: PID stat checked out ok, PID set to
/var/run/
Aug 14 12:45:37 testbox snort: Writing PID file to "/var/run/" Aug 14 12:45:37 testbox snort: Snort initialization completed
successfully,
Snort running Aug 14 12:45:37 testbox kernel: device eth0 left promiscuous mode All of the default rules are activated, except x11, coldfusion, and php which are commented out. I have set the HOME_NET and EXTERNAL_NET values, and I activated the policy and porn rules, to see what I'd discover. Brendan
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1.9.0beta4 Chris Green (Aug 13)
- <Possible follow-ups>
- RE: 1.9.0beta4 Gray . Brendan (Aug 14)
- Re: 1.9.0beta4 Chris Green (Aug 14)
- RE: 1.9.0beta4 Gray . Brendan (Aug 14)