Re: OpenPcap() error

[Phil Wood <cpw () cynosure lanl gov>]

Your comments regarding snort are un-founded.

The problem appears to be on your end.  It could be problems with:

  1. your eth0 interface

  2. your routing

  3. your kernel version

  4. your understanding of IP, network addresses, cidr notation.

  5. whatever.

I don't know what the problem on your end is but, I can say that with a config
like so:

  var MY_IP 192.168.1.2/32
  var HOME_NET $MY_IP
  var EXTERNAL_NET ![$HOME_NET]
  
  config daemon
  config set_uid: snort
  config set_gid: snort
  config dump_payload
  config dump_chars_only
  config logdir: /var/log/snort
  config interface:eth0
  config reference_net: 192.168.1.0/24
  
  preprocessor frag2
  
  log icmp $MY_IP any -> $EXTERNAL_NET any (logto: "ws1.log";)

I can run the following command:

  # snort -c my.config

Ping some place like www.snort.org (even though they don't reply):

  # ping -c 1 www.snort.org

and find a file named ws1.log in /var/log/snort.

If you are brave, grab the two attachments and put them into a directory like

  /tmp/cole

and try:

  sh my.commandline

I cannot guarantee success, because I don't know what kernel, and other
factors might be contribute to your problem.

That's all.

On Tue, Mar 18, 2003 at 12:44:41PM -0800, Robert Cole wrote:
> I commented out the chroot for now. That took care of the problem with the 
> alert file
>
> > > It does except when it sits there logging to the screen taking the tty
> > > session. Loggin onto another term and doing a ps shows me that snort is
> > > running as root.
> >
> > That's expected.  Exactly as planned....
>
> umm... I thought it was going to run as user snort if I put the uid and gid as 
> that in the conf file?
>
> > Edit your .conf file so that there is a space following each colon.  From
> > what you sent earlier, you have:
>
> And I did do this on everything with a :
>
> Almost there! :) The init scripts will have to be modified for sure. I played 
> around with them a bit and found the SNORT_OPS and all (a review of the 
> gentoo init system was required :) ) and made a few unsuccessful changes to 
> it while waiting for the email to ring. :) I'm not all that worried about it. 
> It looks like I need to learn how to use the start-stop-daemon app.
>
> I'll worry about getting it running with only a -c param first.
>
> Thanks again.
>
> Robert
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Does your code think in ink? 
> You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
> What are you waiting for?
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov

Attachment: my.commandline
Description:

Attachment: my.config.template
Description: