Snort mailing list archives
Re: OpenPcap() error
From: Robert Cole <robert.cole () support4linux com>
Date: Tue, 18 Mar 2003 22:38:58 -0800
I've actually had the same problems with config parameter within the snort conf. Andrew knows about it. you can specifiy -u and -g on the command line and -D for daemon mode. It would be nice to just snort -c /etc/snort.conf without all those command line args.. but :)
Well I believe I have confirmed a bug after many many hours of testing and trying today. After I got your email Alberto I decided to come up with a very simple command line from the 1.9.1 manual and use it to test with. Here's what I used: snort -de -l /var/log/snort and snort -de -l /var/log/snort -c /etc/snort/snort.conf For the testing I decided to go ahead and load up the ip on the eth0 interface instead of just activating it and logging via stealth mode. The ip for the test is 192.168.0.111/24 My workstation address is 192.168.0.12/24 My snort.conf file looks like this: config daemon config set_uid: snort config set_gid: snort var EXTERNAL_NET any config dump_payload config dump_chars_only config logdir: /var/log/snort config interface:eth0 config reference_net: 192.168.0.0/24 preprocessor frag2 log udp 192.168.0.12/32 any -> 192.168.0.111/32 514 logto: ws1.log ; I ran snort with the -c param in it and started a ping on my workstation to the snort server and checked the /var/log/snort directory for results. Nothing. I stopped snort and the ping and started it WITHOUT the -c param and started up the ping again and checked the /var/log/snort directory and POOF! I have a 192.168.0.111 and 192.168.0.12 directories and PACKET_NONIP alert and ARP files!!! So one by one I comment out each and every line in my /etc/snort/snort.conf file and test after each one until I'm down to them ALL commented out!! I delete all the files and directories after each and every test to make sure the /var/log/snort directory is clear. And even then snort refuses to log anything if the -c param is specified!!! There are no scripts involved here just running snort the binary and command line params. Bottom line here I think is -c is BADLY broken! Here are my compiler directives when snort was compiled in case that is an issue: CFLAGS="-march=pentium2 -O2 -pipe -fomit-frame-pointer" Another problem I just tried is all of the above without an IP assigned to the interface. I got zero logging. At one time earlier today I had it logging without an IP but with all this fuss I've gone through so far I don't remember what I did to get it working. The static arp entry is still in my workstation and the switch has a link to the logger even without an IP and a look at the switch mac table shows it associated with the correct port so I'm all good there. Oh well that's secondary at this point. -c is a problem all the way around right now. Any ideas? Robert ------------------------------------------------------- This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: OpenPcap() error, (continued)
- Re: OpenPcap() error Erek Adams (Mar 18)
- Re: OpenPcap() error Robert Cole (Mar 18)
- Re: OpenPcap() error Erek Adams (Mar 18)
- Re: OpenPcap() error Robert Cole (Mar 18)
- Re: OpenPcap() error Erek Adams (Mar 18)
- Re: OpenPcap() error Phil Wood (Mar 19)
- Re: OpenPcap() error Robert Cole (Mar 19)
- Re: OpenPcap() error Robert Cole (Mar 18)
- Re: OpenPcap() error Erek Adams (Mar 18)
- Re: OpenPcap() error Alberto Gonzalez (Mar 18)
- Re: OpenPcap() error Robert Cole (Mar 18)
- Re: OpenPcap() error Alberto Gonzalez (Mar 21)
- Re: OpenPcap() error Erek Adams (Mar 22)
- Re: OpenPcap() error Erek Adams (Mar 18)
- Re: OpenPcap() error John Sage (Mar 18)
- Re: OpenPcap() error Robert Cole (Mar 18)