Snort mailing list archives
FW: RE: weird behaviour with Puresecure
From: Ryan Hill <rhill () xypoint com>
Date: Tue, 7 May 2002 10:26:25 -0700
All, I received a reply from Demarc directly regarding the issues I raised in an e-mail to the list yesterday. Since the reply was rather good, I thought it might be helpful to forward the reply to the list in case anyone was interested in the details. The following message is being forwarded with permission from the original sender who is not currently subscribed. Regards, Ryan Hill Corporate Information Systems TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com -----Original Message----- From: Anthony [mailto:anthony () demarc com] Sent: Monday, May 06, 2002 5:10 PM To: rhill () xypoint com Subject: RE: Importing Portscan Logs on 1.6?
fyi, I've been working with a developer for a few weeks on an unrelated issue but thought I would mention that the values passed to the validate function inside the web gui are hard coded into the program. for whatever reason (probably a good one?! :), the developers have chosen not to pass the actual arguments you may be using for your sensor (I'm using -o myself).
The validate function of the web browser has to run as the unprivileged user that the webserver runs as. Therefore, in order to allow Snort to validate a ruleset without root privileges, some special arguments must be passed. For example, a minimal tcpdump file is created and then fed to snort using the -r flag so that snort will not try to open a device in promisc mode. Also, the -l argument is used and pointed to the console/tmp/ path which the webserver user has permission to write to.
in addition, the validate function also doesn't correctly identify the interface your sensor is using, so when you run validate, snort is going to run the validation against your default interface, which may or may not be the correct interface for the sensor you're testing.
This is done this way because it shouldn't make any difference if an interface is specified or not since the -T option is used - so no packets are actually captured on any interface, the rulesets and configuration are simply checked by snort to check their validity. -Anthony _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- weird behaviour with Puresecure Omolayo Salako (May 06)
- <Possible follow-ups>
- RE: weird behaviour with Puresecure Ryan Hill (May 06)
- FW: RE: weird behaviour with Puresecure Ryan Hill (May 07)