Snort mailing list archives

RE: First time in NIDS mode, and...

From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Wed, 16 May 2001 12:41:51 -0400

Make sure that either you run Snort from the directory that has all the
rules files and your snort.conf, or make sure that your snort.conf has the
full path to each of your rules files.

-----Original Message-----
From: Oxenreider, Jeff [mailto:jox () safelite com]
Sent: Wednesday, May 16, 2001 7:56 AM
To: 'John Sage'; Snort Users
Subject: RE: [Snort-users] First time in NIDS mode, and...

I've seen this happen to me on occasion, and if I open up the snort.conf
file, in "vi" and then do a "write quit", thereby updating the timestamp on
the file, and rerun snort, it fires right up.  I don't have an explanation
for the action and it hasn't been a burden on me too much and I just chalked
it up to something I was doing wrong so never posted any sort of a bug
report on it.

Bad Jeff, Bad..... 

Jeffrey A. Oxenreider 
Senior Network/Security Engineer 
Safelite Glass Corp 

-----Original Message----- 
From: John Sage [ mailto:jsage () finchhaven com <mailto:jsage () finchhaven com>
] 
Sent: Wednesday, May 16, 2001 10:27 AM 
To: Snort Users 
Subject: [Snort-users] First time in NIDS mode, and... 

Just got snort on; works great in packet logging mode; now I'm moving on 
to NIDS mode and I'm getting this: 

from logcheck: 
May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem 
: 
May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: webcgi-lib 
: 
May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode 
May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode 

command line (run from the script that sets up ipchains): 

/usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c 
/usr/local/snort-1.7/snort.conf 

snort.conf is the box-stock one that came with the 1.7 distro. 

Question: 

Why can't it load webcgi-lib? It's there, etc etc.. 

I'm getting no other messages about anything. 

ps ax shows snort running in daemon mode with that command line, and 
there is a zero-length file at  /var/log/snort/portscan.log 

Thnx.. 

- John 

-- 
John Sage 
FinchHaven, Vashon Island, WA, USA 
http://www.finchhaven.com/ <http://www.finchhaven.com/>  
mailto:jsage () finchhaven com <mailto:jsage () finchhaven com>  
"The web is so, like, five minutes ago..." 

_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>

Current thread:

First time in NIDS mode, and... John Sage (May 16)
- Re: First time in NIDS mode, and... John Sage (May 16)
- <Possible follow-ups>
- RE: First time in NIDS mode, and... Oxenreider, Jeff (May 16)
- RE: First time in NIDS mode, and... Scott, Joshua (May 16)
  - RE: First time in NIDS mode, and... John Berkers (May 16)