Snort mailing list archives

Re: Enc: Problems to start snort 2.9

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 31 Mar 2011 17:19:55 -0400

If it is a VMware virtual environment, ensure that vmware-tools is
installed and the service is started, and then change the interface
type of the VM to e1000. That should be supported in your kernel.
Newer kernels have support for the new vmxnet3 interfaces.

... ~ # uname -a
Linux uscla1004x 2.6.36-gentoo-r5 #7 SMP Wed Feb 16 13:30:51 EST 2011
x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux

... ~ # zcat /proc/config.gz |grep -i vmx
CONFIG_VMXNET3=y


So far they appear to be working well for packet capture.


Thx,
Wally

On Thu, Mar 31, 2011 at 3:27 PM, Ivani A. Nascimento
<ivani_nascimento () yahoo com br> wrote:

Hi Russ,

Thanks for your answer. Really, I saw the post that you are
mentioning, but any answer.

Well, the interface is venet0:0; it's a virtual
environment.

IIt'll be any change in the kernel? I'm using
2.6.18-194.8.1.el5.028stab070.5.

Thank you again.



--- Em qui, 31/3/11, Russ Combs <rcombs () sourcefire com> escreveu:

De: Russ Combs <rcombs () sourcefire com>
Assunto: Re: [Snort-users] Enc: Problems to start snort 2.9
Para: "Ivani A. Nascimento" <ivani_nascimento () yahoo com br>
Cc: snort-users () lists sourceforge net
Data: Quinta-feira, 31 de Março de 2011, 15:21

Looks like someone posted the same error about a year ago on snort.org with 2.8.5, apparently w/o resolution.

What type of interface is it?  libpcap will assume SLL for unknown types and expect the kernel to leave room to 
prepend the header.


Appears to be making the wrong assumption.

On Thu, Mar 31, 2011 at 1:48 PM, Ivani A. Nascimento <ivani_nascimento () yahoo com br> wrote:

Hi, folks!



I'm newbie using Snort and I have a doubt.



I've googled many sites, lists,  but I'm lost about a weird error.



I've installed the snort 2.9 but I can't start it. Looking the logs, I've found:



Mar 31 13:45:18 snortlab snort[16294]:         --== Initialization Complete ==--

Mar 31 13:45:18 snortlab snort[16294]: Commencing packet processing (pid=16294)

Mar 31 13:45:19 snortlab snort[16294]: Can't acquire (-1) - cooked-mode frame doesn't have room for sll header!

---

---

Mar 31 13:45:50 snortlab snort[16294]: ===============================================================================

Mar 31 13:45:50 snortlab snort[16294]: ===============================================================================

Mar 31 13:45:50 snortlab snort[16294]: dcerpc2 Preprocessor Statistics

Mar 31 13:45:51 snortlab snort[16294]:   Total sessions: 0

Mar 31 13:45:51 snortlab snort[16294]: ===============================================================================

Mar 31 13:45:52 snortlab snort[16294]: ===============================================================================

Mar 31 13:45:52 snortlab snort[16294]: Snort exiting



I'm using CentOS 5.5.  Anyone you help me?



Thanks for advance,



Nix



------------------------------------------------------------------------------

Create and publish websites with WebMatrix

Use the most popular FREE web apps or write code yourself;

WebMatrix provides all the features you need to develop and

publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users





------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself;
WebMatrix provides all the features you need to develop and
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Enc: Problems to start snort 2.9 Ivani A. Nascimento (Mar 31)
- Re: Enc: Problems to start snort 2.9 Russ Combs (Mar 31)
- <Possible follow-ups>
- Re: Enc: Problems to start snort 2.9 Ivani A. Nascimento (Mar 31)
  - Re: Enc: Problems to start snort 2.9 Jason Wallace (Mar 31)