Re: OpenPcap() error

[Robert Cole <robert.cole () support4linux com>]

Full disclosure:

/var/log/messages section with the latest error:

Mar 18 09:42:08 logger login(pam_unix)[3059]: session opened for user root by 
(uid=0)
Mar 18 09:44:52 logger device eth0 entered promiscuous mode
Mar 18 09:44:52 logger snort: WARNING: OpenPcap() device eth0 network lookup:   
eth0: no IPv4 address assigned
Mar 18 09:44:52 logger snort: Initializing daemon mode
Mar 18 09:44:53 logger snort: PID path stat checked out ok, PID path set to 
/var/run/
Mar 18 09:44:53 logger snort: Writing PID "3125" to file 
"/var/run//snort_eth0.pid"
Mar 18 09:44:53 logger snort: Found logdir config directive (/var/log/snort)
Mar 18 09:44:53 logger device eth0 left promiscuous mode
Mar 18 09:44:53 logger snort uses obsolete (PF_INET,SOCK_PACKET)
Mar 18 09:44:53 logger snort: FATAL ERROR: ERROR: OpenPcap() device eth0 open:          
socket: Operation not permitted

/etc/snort/snort.conf

var EXTERNAL_NET any

config dump_payload
config dump_chars_only
config logdir:/var/log/snort
config daemon
config interface:eth0
config verbose
config chroot:/var/log/snort
config reference_net:192.168.0.0/24
config set_gid:snort
config set_uid:snort

preprocessor frag2

log udp 192.168.0.12/32 -> 192.168.0.111/32 514 (logto:"ws1.log";)

and the /etc/init.d/snort startup script. I'm working on clairifying that 
SNORT_OPS is just pointing to /etc/snort/snort.conf

#!/sbin/runscript
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# $Header: /home/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc6,v 1.3 
2003/02/14 22:58:13 vapier Exp $

depend() {
        need net
}

checkconfig() {
        if [ ! -e /etc/snort/snort.conf ] ; then
                eerror "You need an /etc/snort/snort.conf to run snort"
                eerror "There is an example config in /etc/snort/snort.conf.distrib"
                return 1
        fi
}

start() {
        checkconfig || return 1
        ebegin "Starting snort"
        start-stop-daemon --start --quiet --exec /usr/bin/snort \
                -- ${SNORT_OPTS} >/dev/null 2>&1
        eend $?
}

stop() {
        ebegin "Stopping snort"
        start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
        #kill  -9 `cat $PIDFILE`  2>&1
        eend $?
}


My attempt is to make snort work entirely from the /etc/snort/snort.conf file 
and work without an IP addy of course. :) 

I've played with the conf file extensively working from this link 
http://www.linuxjournal.com/article.php?sid=6222 
as a starting point. And this link 
http://www.linuxjournal.com/modules.php?op=modload&name=NS-lj-issues/issue102&file=6222l3 
for the snort.conf file as a starting point. I had to base off this very very 
losely as it is very RH centric. 

My goal is to produce new documentation for running snort as a stealth logger. 
I can get it running and logging stealth just not with a conf file.

Thanks,
Robert


On Tuesday 18 March 2003 09:19 am, Erek Adams wrote:
> On Tue, 18 Mar 2003, Robert Cole wrote:
> > OpenPcap() errors go back years as I stated. A search on google for
> > OpenPcap() turned up years worth of unanswered posts to the exact error
> > I'm talking about.
> >
> > I'll post all my info and detailed logs on this problem shortly. It's
> > snort 1.9.1 I'm talking about but since this error goes back years it
> > doesn't appear to make a difference. That's why I didn't bother with a
> > while lot the first time. It's extensively documented through 100s of
> > posts over the past 3 years with no answers.
> >
> > But in the mean time I can start snort from the command line with params
> > but when I try to use the snort.conf file I get the openpcap() error.
> >
> > There is an faq on snort.org but it references the windows version only.
> >
> > Thank you for your reply and I'll post the requested info shortly.
>
> I'll bet your command line is something like the following:
>
>       snort <some options> -s <some other options>
>
> Due to a fix that was added, then partially 'lost', -s can have a
> parameter.  Going out on a limb--Change the command line so that -s is the
> last parameter in the list.
>
>       snort <all other options> -s
>
> And you should be fine.
>
> You might want to consider:
>
>       output alert_syslog: LOG_AUTH LOG_ALERT
>
> In your snort.conf instead of using -s.
>
> Again, I'm guessing...  :)
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Does your code think in ink?
> You could win a Tablet PC. Get a free Tablet PC hat just for playing.
> What are you waiting for?
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users