Snort mailing list archives

Re: OpenPcap() error

From: Erek Adams <erek () snort org>
Date: Sat, 22 Mar 2003 12:06:28 -0500 (EST)

On Tue, 18 Mar 2003, Robert Cole wrote:

[...snip...]

snort -de -l /var/log/snort

and

snort -de -l /var/log/snort -c /etc/snort/snort.conf


Suggested change:

        ln -s /etc/snort/snort.conf /etc/snort.conf

Then start snort with:

        snort

config daemon
config set_uid: snort
config set_gid: snort

var EXTERNAL_NET any

config dump_payload
config dump_chars_only
config logdir: /var/log/snort
config interface:eth0
config reference_net: 192.168.0.0/24

preprocessor frag2

log udp 192.168.0.12/32 any -> 192.168.0.111/32 514 logto: ws1.log ;


I've got it working with the following config with no problem.

        config daemon
        config set_uid: snort
        config set_gid: snort
        config decode_data_link
        config dump_payload
        config dump_chars_only
        config interface: eth0
        log udp 192.168.0.12/32 any -> 192.168.0.111/32 514 (logto:
        "ws1.log";)

No EXTERNAL_NET needed due to your rule.  No logdir needed as
/var/log/snort is the default.  No reference net needed.  With snort.conf
symlinked, you don't need to specify that on startup.  No need for frag2
unless you're worried about frags.

As for your issue, part of it seems that you were missing () around logto:
, and that you were missing quotes around ws1.log.

Make those changes and you should be in business.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: OpenPcap() error, (continued)
- - - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Phil Wood (Mar 19)
    - Re: OpenPcap() error Robert Cole (Mar 19)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error Alberto Gonzalez (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
    - Re: OpenPcap() error Alberto Gonzalez (Mar 21)
    - Re: OpenPcap() error Erek Adams (Mar 22)
    - Re: OpenPcap() error Erek Adams (Mar 18)
    - Re: OpenPcap() error John Sage (Mar 18)
    - Re: OpenPcap() error Robert Cole (Mar 18)
  - Re: OpenPcap() error Bamm Visscher (Mar 18)
- RE: OpenPcap() error L. Christopher Luther (Mar 18)