Re: First time snorting ... ERROR: The dynamic detection library ...

[waldo kitty <wkitty42 () windstream net>]

On 11/14/2013 3:40 PM, Alan McKay wrote:
> On Thu, Nov 14, 2013 at 3:24 PM, waldo kitty <wkitty42 () windstream net> wrote:
> > speaking of command lines, what is your snort command line?
>
> Straight out of that doc I'd posted earlier
>
> /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth0

ahhh... ok... so you are not (yet) running it daemonized... my bad, too, because 
the output would be in your /var/logs/messages file if you were running it 
daemonized... sorry about that :?

> THough now I just changed it to
>
> /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth0 >
> /var/log/snort/snort.startup.log 2>&1

ok... try adding "-k none" before your "-c" or after your "eth0"...

> > also, you might want to stop snort, delete the snort log file in /var/logs...
> > then restart it, give it a few minutes, terminate it again and post that log...
> > we might spot something in there...
>
> Snort logs are empty :

ok... looking at the below, i thought you might have been looking at the 
snort.log.xxxxxxxxxx files... those are pcap (aka packet capture) files... what 
i was looking for, above, is the startup and shutdown output of snort... your 
snort.startup.log should have the information i was looking for... when you 
start to run snort daemonized, you won't use that redirection and all that 
information will be written to your system log...

> root@ogic2:/usr/local/snort/etc# ls -al /var/log/snort/
> total 36
> drwxr-xr-x  2 snort snort  4096 Nov 14 15:35 .
> drwxr-xr-x 19 root  root   4096 Nov 14 10:36 ..
> -rw-r--r--  1 snort snort  2056 Nov 14 15:29 barnyard2.waldo
> -rw-r--r--  1 root  root  22416 Nov 14 15:35 snort.startup.log
> -rw-------  1 snort snort     0 Nov 14 15:33 snort.u2.1384461197
> -rw-------  1 snort snort     0 Nov 14 15:35 snort.u2.1384461344

yep, your u2 files are definitely empty... that indicates one of two things...

1. your snort is not seeing the traffic
OR
2. the traffic your snort is seeing is not triggering any alert rules

> Here is the startup log
>
> https://docs.google.com/document/d/1bd3atMiqTBvbwF8BIpZDSVEr1vYniyM0GSIHZGvVWO8/edit?usp=sharing

i'll take a look... [time passes] ok... this indicates that snort is running and 
looking for traffic...

   Commencing packet processing (pid=31755)

now we need to see the rest of the output when you shut down snort... that will 
give us the statistics of traffic that it has seen, if any at all...

> Anyway, thanks.  I'll start going through the FAQ instead of that other doc.

;)


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!