Snort mailing list archives
Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
From: Scott Thomas <scott_pin () yahoo com>
Date: Wed, 30 Nov 2016 11:20:23 -0500
Al, Thanks - that made a big difference! I see the same results when reading the pcap file, but not the log: shadow:~ scott$ sudo snort -c ./ICMP.conf -r ./ICMP.pcap -A console -l. -k none -q 11/30-08:33:47.582367 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:47.604801 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:48.585656 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:48.613333 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:49.590077 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:49.616103 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:50.593670 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:50.615623 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 When running snort -r: shadow:~ scott$ sudo snort -r snort.log.1480521623 I now see the packets, etc. (hooray!) Leaving HOME_NET replaced by “any” in the config file, I ran snort -A console again, and this time I see data when I ping the box (ICMP packets similar to your test file). I’m not able to read the snort.log file, but I gather that is because it isn’t configured to be human readable. So it appears my issue was caused primarily by the $HOME_NET variable not being correctly configured. I’ll work on that! Thank you very much for taking time to help! Scott
On Nov 30, 2016, at 10:30 AM, Al Lewis (allewi) <allewi () cisco com> wrote: Use this as a test. You should be able to run it like: ALLEWI-M-8257:snort-2.9.8.3 allewi$ ./bin/snort -c etc/ICMP.conf -r ~/Downloads/PCAPS/ICMP.pcap -A console -l. -k none -q 11/30-08:33:47.582367 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:47.604801 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:48.585656 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:48.613333 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:49.590077 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:49.616103 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 11/30-08:33:50.593670 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 10.82.211.200 -> 4.2.2.1 11/30-08:33:50.615623 [**] [1:1000001:0] TEST [**] [Priority: 0] {ICMP} 4.2.2.1 -> 10.82.211.200 Which produced a log file: snort.log.1480516905 I can read the file then like this: ALLEWI-M-8257:snort-2.9.8.3 allewi$ ./bin/snort -r snort.log.1480516905 Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x1069c3780 log_tcpdump : 0x1069c6920 alert_fast : 0x1069c2290 alert_full : 0x1069c2e20 alert_unixsock: 0x1069c4930 alert_CSV : 0x1069c5170 log_null : 0x1069c6810 log_unified2 : 0x1069c7650 alert_unified2: 0x1069c77b0 unified2 : 0x1069c7910 log_ascii : 0x1069cae70 —— output clipped ---- Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 11/30/16, 8:33 AM, "Al Lewis (allewi)" <allewi () cisco com> wrote:You can either google for one or use tcpdump/snoop/wireshark etc.. to capture your ping traffic. Also you wont be able to use -r to read the log file. If you get the events working on the console the logging should be pretty simple. See if you can get the events on the console first. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 11/30/16, 8:27 AM, "Scott Thomas" <scott_pin () yahoo com> wrote:Al, Thanks - I’m having trouble finding the pcap files (if they exist!). In /var/log/snort I see two files of 0 bytes - snort.log and alert. Is the log directory the default location for them? (sorry to be so clueless!) ScottOn Nov 30, 2016, at 8:09 AM, Al Lewis (allewi) <allewi () cisco com> wrote: Scott, You don’t need the two interfaces right away. If you are pinging the device and DON’T see packets within the exit stats something else probably is wrong with your network setup. As another test, can you read a pcap file and get alerts? Use the -r instead of the interface to replay an icmp pcap back into snort. So your command would be "sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -r ‘whatever your pcap file is’ Try this first. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 11/30/16, 7:59 AM, "Scott Thomas" <scott_pin () yahoo com> wrote:Hello Al, Thank you for this response. I do not see any packets within the exit status, and I do have a rule to alert on icmp (copied from the pdf guide). However, I do not have two interfaces. I’ll see if I can get that set up and test it further. Thank you! ScottOn Nov 30, 2016, at 7:52 AM, Al Lewis (allewi) <allewi () cisco com> wrote: Hello Scott, To start snort “inline” you need to two interfaces. Based on what you have below there is only one being used. Do you see any packets within your exit stats? Do you have a rule setup to alert on the icmp traffic? (Snort will only log things that should be alerted on when using IDS mode) Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 11/30/16, 7:29 AM, "Scott Thomas" <scott_pin () yahoo com> wrote:This may be from being a newbie, but I see other indications of folks with a similar issue, but no solutions that have solved it for me. I have searched the list via web and found a post of 5 October 2016 with a similar subject, but no resolution. I am running almost the identical setup. Snort is on a Debian Jessie (8.6.0) vm (kvm). I have configured my system per the doc Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf (except for some path differences). When I start snort inline (with sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0) it starts as expected, silently listening. I ping the IP of the vm system from another box, but there is no output on the console. Checking the log: sudo snort -r /var/log/snort/snort.log Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to read-file. ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Fatal Error, Quitting.. As with the poster in the prior thread, I can find nothing in the archives or an online search that helps me solve this. Please help! Thank you in advance, Scott ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!<ICMP.conf><ICMP.pcap>
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Scott Thomas (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Al Lewis (allewi) (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Scott Thomas (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Al Lewis (allewi) (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Scott Thomas (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Al Lewis (allewi) (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Al Lewis (allewi) (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Scott Thomas (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Scott Thomas (Nov 30)
- Re: ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0 Al Lewis (allewi) (Nov 30)