Snort mailing list archives

RE: Syslog,MySql, IDS Center /Eagle X

From: "McBurnett, Jim" <jmcburnett () msmgmt com>
Date: Mon, 19 May 2003 14:01:49 -0400

Okay,
This is what I am getting..
This seems weird..
But it must be a PCAP issue....
Thoughts??

Jim

C:\\Documents and Settings\\jmcburnett>C:\\EagleX\\snort\\bin\\snort.exe -c "C:\\EagleX\par
\\snort\\etc\\snort.conf" -l "C:\\EagleX\\snort\\logs" -i 2 -d -e -y -s 127.0.0.1:514\par
Running in IDS mode\par
Log directory = C:\\EagleX\\snort\\logs\par
\par
Initializing Network Interface \\Device\\NPF_\{150F8050-7325-4DAF-A177-662A51C877E9\par
\}\par
ERROR: OpenPcap() FSM compilation failed:\par
        PCAP command: %s\par
\par
Fatal Error, Quitting..\par
\par
C:\\Documents and Settings\\jmcburnett>C:\\EagleX\\snort\\bin\\snort.exe -c "C:\\EagleX\par
\\snort\\etc\\snort.conf" -l "C:\\EagleX\\snort\\logs" -i 2 -d -e -y -s "127.0.0.1:514\par
"\par
Running in IDS mode\par
Log directory = C:\\EagleX\\snort\\logs\par
\par
Initializing Network Interface \\Device\\NPF_\{150F8050-7325-4DAF-A177-662A51C877E9\par
\}\par
ERROR: OpenPcap() FSM compilation failed:\par
        PCAP command: %s\par
\par
Fatal Error, Quitting..\par
\par
C:\\Documents and Settings\\jmcburnett>C:\\EagleX\\snort\\bin\\snort.exe -c "C:\\EagleX\par
\\snort\\etc\\snort.conf" -l "C:\\EagleX\\snort\\logs" -s 127.0.0.1:514 -i 2 -d -e -y\par
Running in IDS mode\par
Log directory = C:\\EagleX\\snort\\logs\par
\par
Initializing Network Interface \\Device\\NPF_\{C174027D-4189-497B-8143-E5FA7A9557F5\par
\}\par
ERROR: OpenPcap() FSM compilation failed:\par
        PCAP command: %s\par
\par
Fatal Error, Quitting..\par
\par
C:\\Documents and Settings\\jmcburnett>C:\\EagleX\\snort\\bin\\snort.exe -c "C:\\EagleX\par
\\snort\\etc\\snort.conf" -l "C:\\EagleX\\snort\\logs" -s 127.0.0.1:514 -i 2 -d -e -y\par
Running in IDS mode\par
Log directory = C:\\EagleX\\snort\\logs\par
\par
Initializing Network Interface \\Device\\Packet_\{C174027D-4189-497B-8143-E5FA7A955\par
7F5\}\par
ERROR: OpenPcap() FSM compilation failed:\par
        PCAP command: %s\par
\par
Fatal Error, Quitting..\par
\par
C:\\Documents and Settings\\jmcburnett>\par
}

-----Original Message-----
From: Ueli Kistler [mailto:iuk () gmx ch]
Sent: Monday, May 19, 2003 1:04 PM
To: McBurnett, Jim
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Syslog,MySql, IDS Center /Eagle X


Hello

McBurnett, Jim wrote:

Ok all,
I have searched all the archives, googled this to death and

I am still

drawing a blank..
I know I am missing something.
I am running this on a Windows XP, Fresh install, norton AV.
System is running a 2.6 Ghz P4 with 512M RAM..
Started with the Eagle X package.
MySql, ACID it all works great...

sure, but it's old.. at leat update to Snort 2.0.. update will be 
available soon after putting online the new website: 
www.engagesecurity.com


I tried to add Syslog to it and Bingo-- It crashes every

time it sends

a message..
I tried to send to an external syslog.. no go. I tried an on Machine 
Syslog.
No go.. System has 3 NICS, and I am using the 2nd NIC.

Snort 2.0 has a broken syslog support (i think.. correct me if 
i should 
be wrong .. but i don't think so)
note that snort always tries to bind the socket to NIC 1! You 
must have 
-s option activated ("Log settings"->"Logging parameters".. Type 
hostname of the syslog server)

I thought maybe it was an issue with Snort 1.9. So I updated

to Snort 2.0

no .. activate "-s" option AND add an output plugin (syslog output 
plugin) in the output plugin wizard


No go, same problem, but now the snort service won't even start with 
Syslog enabled
There is nothing in the Event log of relevance, the Test of

the Config

looks fine.
I can post or email offlist the config file if anyone is willing to 
help me...

Does anyone have any ideas?

Don't bother Chris Reid .. i'm sure he's working on this (or 
perhaps not) ;)

Thanks,
Jim

Regards,
   Ueli Kistler
   eclipse () engagesecurity com  
   www.engagesecurity.com (soon online)

--



-------------------------------------------------------
This SF.net email is sponsored by: If flattening out C++ or Java
code to make your application fit in a relational database is painful,
don't do it! Check out ObjectStore. Now part of Progress Software.
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Syslog,MySql, IDS Center /Eagle X McBurnett, Jim (May 19)
- Re: Syslog,MySql, IDS Center /Eagle X Ueli Kistler (May 19)
- Re: Syslog,MySql, IDS Center /Eagle X Ueli Kistler (May 19)
- <Possible follow-ups>
- RE: Syslog,MySql, IDS Center /Eagle X McBurnett, Jim (May 19)