Snort mailing list archives
RE: Upgrading Snort - Baffled?
From: chae <chae () hyper net nz>
Date: Thu, 18 Jul 2002 17:02:54 +1200
Hi Yah,Appreciate everyones feedback :) Being the windows man rpm's seemed easier than doing it via tar. The original version 1.8.1 was installed via the GUI of the Cobalt by the previous owners (pkg format) and the pkg was deleted so of course uninstall was no use.
I downloaded the latest 1.8.7.i386 rpm and of course didn't use the --force option to begin with so I got a lot of conflicts but after doing a force (thanks Virgil) it installed okay but what I have noticed is that there is strange things afoot.
For example where the binary should be /usr/sbin/snort, after the force install I had both a snort and a snort-plain, the snort file is a symbolic link to snort-plain? Then in the /etc/rc.d/init.d folder there was a snort and a snortd start file (sigh) - I then tried using the snortd and edited it to include the following:
snort -c /etc/snort/snort.conf -D -O -h -N -l /var/log/snort -bI got nothing but netmask errors yet it's always been etho and the snortd startup script has etho as the default and nothing was changed in the snort.conf file, netmask and var HOME_NET have stayed the same as before nothing has changed there.
So I placed back the old snort startup file back and called it up as follows:/etc/rc.d/init.d/snort start -c /etc/snort/snort.conf -D -O -h -N -l /var/log/snort -b
and away it went no problem - started up in daemon mode and etho was being used as before.
Now the only problems I have now is that syslog says that when snort starts it's reading /etc/snort.conf but there is nothing there, the config file was in /etc/snort/snort.conf, for the love of me can't see where it's reading that - I'm assuming the snort looks there as the default then if it can't find it, it then looks elsewhere - am I correct in assuming that :). Copied the conf file to /etc anyway.
And the original problem is still here - even when snort is up and running okay and reading the correct conf file it only reports intrusions/attacks/probes for the ICMP Rules, spp_stream4 and the Virus ruleset, it is not logging any of the others - it does portscans okay and I have logcheck reporting them - but can't understand why it's not using all the rulesets? Prior to this there was plenty of information coming through from 1.8.1....mmmhhhh???? It's a fresh install/update of the latest version and ruleset.
I think I might just uninstall the main files manually then reinstall again, I also think I'll let it run for 24 hours and see what the reports say - any comments?
Regards Chae ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Upgrading Snort - Baffled? chae (Jul 16)
- Re: Upgrading Snort - Baffled? John Sage (Jul 17)
- <Possible follow-ups>
- RE: Upgrading Snort - Baffled? chae (Jul 17)
- Re: RE: Upgrading Snort - Baffled? Alwin Raymundo (Jul 17)
- RE: Upgrading Snort - Baffled? chae (Jul 17)