Snort mailing list archives
RE: First time in NIDS mode, and...
From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Wed, 16 May 2001 12:41:51 -0400
Make sure that either you run Snort from the directory that has all the rules files and your snort.conf, or make sure that your snort.conf has the full path to each of your rules files. -----Original Message----- From: Oxenreider, Jeff [mailto:jox () safelite com] Sent: Wednesday, May 16, 2001 7:56 AM To: 'John Sage'; Snort Users Subject: RE: [Snort-users] First time in NIDS mode, and... I've seen this happen to me on occasion, and if I open up the snort.conf file, in "vi" and then do a "write quit", thereby updating the timestamp on the file, and rerun snort, it fires right up. I don't have an explanation for the action and it hasn't been a burden on me too much and I just chalked it up to something I was doing wrong so never posted any sort of a bug report on it. Bad Jeff, Bad..... Jeffrey A. Oxenreider Senior Network/Security Engineer Safelite Glass Corp -----Original Message----- From: John Sage [ mailto:jsage () finchhaven com <mailto:jsage () finchhaven com> ] Sent: Wednesday, May 16, 2001 10:27 AM To: Snort Users Subject: [Snort-users] First time in NIDS mode, and... Just got snort on; works great in packet logging mode; now I'm moving on to NIDS mode and I'm getting this: from logcheck: May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem : May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: webcgi-lib : May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode command line (run from the script that sets up ipchains): /usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c /usr/local/snort-1.7/snort.conf snort.conf is the box-stock one that came with the 1.7 distro. Question: Why can't it load webcgi-lib? It's there, etc etc.. I'm getting no other messages about anything. ps ax shows snort running in daemon mode with that command line, and there is a zero-length file at /var/log/snort/portscan.log Thnx.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ <http://www.finchhaven.com/> mailto:jsage () finchhaven com <mailto:jsage () finchhaven com> "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users <http://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
Current thread:
- First time in NIDS mode, and... John Sage (May 16)
- Re: First time in NIDS mode, and... John Sage (May 16)
- <Possible follow-ups>
- RE: First time in NIDS mode, and... Oxenreider, Jeff (May 16)
- RE: First time in NIDS mode, and... Scott, Joshua (May 16)
- RE: First time in NIDS mode, and... John Berkers (May 16)