Re: Enc: Problems to start snort 2.9

["Ivani A. Nascimento" <ivani_nascimento () yahoo com br>]

Hi folks,

I'm still looking for a solution for my problem with the snort.
Actually, I don't know which kind of Linux is running on the parent host.
We've installed the CentOS 5.5, this is output of uname:

uname -a
Linux snortlab 2.6.18-194.8.1.el5.028stab070.5 #1 SMP Fri Sep 17 19:10:36 MSD 2010 i686 i686 i386 GNU/Linux

I'm not sure what kind of interface is venet0:0, I thought it was xen.

I tried this:

snort -vv -i lo
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "lo".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.4 IPv6 GRE (Build 110)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=21572


Well, this works fine. But, if I try:

snort -vv -i venet0
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "venet0".
Decoding Linux SLL

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.4 IPv6 GRE (Build 110)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=5776)
Can't acquire (-1) - cooked-mode frame doesn't have room for sll header!

And the snort can't start.

Any ideas?

Thank you so much.

Regards,

Ivani Nascimento


--- Em sex, 1/4/11, Ivani A. Nascimento <ivani_nascimento () yahoo com br> escreveu:

De: Ivani A. Nascimento <ivani_nascimento () yahoo com br>
Assunto: Re: [Snort-users] Enc: Problems to start snort 2.9
Para: "Snort Users" <snort-users () lists sourceforge net>
Data: Sexta-feira, 1 de Abril de 2011, 13:36

Hi folks.

As I said earlier, I would try install the new packages rpm (2.9.4).
I did it but I can't still start the snort.

I reviewed the logs, snort.conf, but nothing. 
At first glance, everything ok. Now, I'm looking for problems in the SO.

Please, someone here is running snort in a virtual environment, specially Xen to share experience with me?

Thank you all.

Regards,

Ivani Nascimento

--- Em sex, 1/4/11, Ivani A. Nascimento <ivani_nascimento () yahoo com br> escreveu:

> De: Ivani A. Nascimento <ivani_nascimento () yahoo com br>
> Assunto: Re: [Snort-users] Enc: Problems to start snort 2.9
> Para: "Snort Users" <snort-users () lists sourceforge net>
> Data: Sexta-feira, 1 de Abril de 2011, 10:38
>
> Thanks for your answer.
> My machine is hosted in a Xen's environment. I'm running
> CentOS 5.5 , kernel 2.6.18-194.8.1.el5.028stab070.5.
> As I said, I'm newbie about snort, so I don't know if I
> forgot any detail configuration.
>
> I've already installed the snort in another virtual
> machine, but the environment was vmware and all the things
> worked fine.
>
> This is my interface:
>
> venet0:0  Link encap:UNSPEC  HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
>           inet
> addr:XXX.XXX.XXX.XXX  P-t-P:XXX.XXX.XXX.XXX 
> Bcast:XXX.XXX.XXX.XXX  Mask:255.255.255.255
>           UP BROADCAST POINTOPOINT
> RUNNING NOARP  MTU:1500  Metric:1
>
> Ahn, I'm using snort 2.9.3 (I've used Vincent Cojot's
> rpms). I saw that there is a new versions the rpm, I'll try
> update.
>
> Thank you all.
>
> Regards,
>
> Ivani
>
> --- Em qui, 31/3/11, Jason Wallace <jason.r.wallace () gmail com>
> escreveu:
>
> > De: Jason Wallace <jason.r.wallace () gmail com>
> > Assunto: Re: [Snort-users] Enc: Problems to start
> snort 2.9
> > Para: "Ivani A. Nascimento" <ivani_nascimento () yahoo com br>
> > Cc: "Snort Users" <snort-users () lists sourceforge net>
> > Data: Quinta-feira, 31 de Março de 2011, 18:19
> > If it is a VMware virtual
> > environment, ensure that vmware-tools is
> > installed and the service is started, and then change
> the
> > interface
> > type of the VM to e1000. That should be supported in
> your
> > kernel.
> > Newer kernels have support for the new vmxnet3
> interfaces.
> > ... ~ # uname -a
> > Linux uscla1004x 2.6.36-gentoo-r5 #7 SMP Wed Feb 16
> > 13:30:51 EST 2011
> > x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
> GenuineIntel
> > GNU/Linux
> >
> > ... ~ # zcat /proc/config.gz |grep -i vmx
> > CONFIG_VMXNET3=y
> >
> >
> > So far they appear to be working well for packet
> capture.
> > Thx,
> > Wally
> >
> > On Thu, Mar 31, 2011 at 3:27 PM, Ivani A. Nascimento
> > <ivani_nascimento () yahoo com br>
> > wrote:
> > > Hi Russ,
> > >
> > > Thanks for your answer. Really, I saw the post
> that
> > you are
> > > mentioning, but any answer.
> > >
> > > Well, the interface is venet0:0; it's a virtual
> > > environment.
> > >
> > > IIt'll be any change in the kernel? I'm using
> > > 2.6.18-194.8.1.el5.028stab070.5.
> > >
> > > Thank you again.
> > >
> > >
> > >
> > > --- Em qui, 31/3/11, Russ Combs <rcombs () sourcefire com>
> > escreveu:
> > > De: Russ Combs <rcombs () sourcefire com>
> > > Assunto: Re: [Snort-users] Enc: Problems to
> start
> > snort 2.9
> > > Para: "Ivani A. Nascimento" <ivani_nascimento () yahoo com br>
> > > Cc: snort-users () lists sourceforge net
> > > Data: Quinta-feira, 31 de Março de 2011, 15:21
> > >
> > > Looks like someone posted the same error about a
> year
> > ago on snort.org with 2.8.5, apparently w/o
> resolution.
> > > What type of interface is it?  libpcap will
> assume
> > SLL for unknown types and expect the kernel to leave
> room to
> > prepend the header.
> > > Appears to be making the wrong assumption.
> > >
> > > On Thu, Mar 31, 2011 at 1:48 PM, Ivani A.
> Nascimento
> > <ivani_nascimento () yahoo com br>
> > wrote:
> > > Hi, folks!
> > >
> > >
> > >
> > > I'm newbie using Snort and I have a doubt.
> > >
> > >
> > >
> > > I've googled many sites, lists,  but I'm lost
> about a
> > weird error.
> > > I've installed the snort 2.9 but I can't start
> it.
> > Looking the logs, I've found:
> > > Mar 31 13:45:18 snortlab snort[16294]:      
>  
> > --== Initialization Complete ==--
> > > Mar 31 13:45:18 snortlab snort[16294]:
> Commencing
> > packet processing (pid=16294)
> > > Mar 31 13:45:19 snortlab snort[16294]: Can't
> acquire
> > (-1) - cooked-mode frame doesn't have room for sll
> header!
> > > ---
> > >
> > > ---
> > >
> > > Mar 31 13:45:50 snortlab snort[16294]:
> ===============================================================================
> > > Mar 31 13:45:50 snortlab snort[16294]:
> ===============================================================================
> > > Mar 31 13:45:50 snortlab snort[16294]: dcerpc2
> > Preprocessor Statistics
> > > Mar 31 13:45:51 snortlab snort[16294]:   Total
> > sessions: 0
> > > Mar 31 13:45:51 snortlab snort[16294]:
> ===============================================================================
> > > Mar 31 13:45:52 snortlab snort[16294]:
> ===============================================================================
> > > Mar 31 13:45:52 snortlab snort[16294]: Snort
> exiting
> > > I'm using CentOS 5.5.  Anyone you help me?
> > >
> > >
> > >
> > > Thanks for advance,
> > >
> > >
> > >
> > > Nix
> ------------------------------------------------------------------------------
> > > Create and publish websites with WebMatrix
> > >
> > > Use the most popular FREE web apps or write code
> > yourself;
> > > WebMatrix provides all the features you need to
> > develop and
> > > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> > >
> > > _______________________________________________
> > >
> > > Snort-users mailing list
> > >
> > > Snort-users () lists sourceforge net
> > >
> > > Go to this URL to change user options or
> unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > > Snort-users list archive:
> > >
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------------------------------------------
> > > Create and publish websites with WebMatrix
> > > Use the most popular FREE web apps or write code
> > yourself;
> > > WebMatrix provides all the features you need to
> > develop and
> > > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
>
> WebMatrix provides all the features you need to develop and
>
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users