[Snort-devel] snort failes on ppp0

Hugo van der Kooij hvdkooij at ...372...
Mon Apr 9 14:39:16 EDT 2001


LS,

I tried to get snort v1.7 working but I failed. Installation was from
Source RPM on my SPARCclassic.
Kernel 2.2.17 (based on Red Hat Linux 6.2)
Rules set was taken from the site.
command line switches as defined in the INIT script (from RPM):
	snort -u snort -g snort -s -d -D -v \
	-i ppp0 -l /var/log/snort -c /etc/snort/snort.conf

No logging recorded besides a noticed that ppp0 went promiscious for a
second or so and no sign of the snort process is to be found afterwards.

ppp0 is my PPTP link that is my internet link.vi snort.conf

Due to the missing of any error message it is quite hard to tell what goes
on. I started with strace and at the end of the output shown I get:

read(3, "# /etc/protocols:\n# $Id: protoco"..., 4096) = 1567
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x5001b000, 8192)                = 0
time(NULL)                              = 986841149
open("/etc/localtime", O_RDONLY)        = 3
read(3, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\v\0\0\0\v\0"..., 44) =
44
read(3, "\233\fK\20\233\327R\20\234\331\270\20\235\244\277\20\236"...,
900) = 900
fstat(3, {st_mode=S_IFREG|0644, st_size=1058, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x5001b000
read(3, "\0\0\22\240\1\0\0\0\4\220\0\4\0\0\4\260\0\10\0\0\22\300"...,
4096) = 114
close(3)                                = 0
munmap(0x5001b000, 8192)                = 0
brk(0x6b000)                            = 0x6b000
socket(PF_UNIX, SOCK_STREAM, 0)         = 3
connect(3, {sin_family=AF_UNIX, path="
                                             /var/run/.nscd_socket"}, 110)
= -1
ECONNREFUSED (Connection refused)
close(3)                                = 0
open("/etc/passwd", O_RDONLY)           = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=911, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x5001b000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 911
close(3)                                = 0
munmap(0x5001b000, 8192)                = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 3
connect(3, {sin_family=AF_UNIX, path="
                                             /var/run/.nscd_socket"}, 110)
= -1
ECONNREFUSED (Connection refused)
close(3)                                = 0
open("/etc/group", O_RDONLY)            = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=525, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x5001b000
read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 525
close(3)                                = 0
munmap(0x5001b000, 8192)                = 0
geteuid()                               = 0
stat("/var/log/snort", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
access("/var/log/snort", W_OK)          = 0
stat("/var/run/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access("/var/run/", W_OK)               = 0
open("/var/run//snort_ppp0.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
getpid()                                = 13795
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x5001b000
write(3, "13795\n", 6)                  = 6
close(3)                                = 0
munmap(0x5001b000, 8192)                = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x5001b000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
write(1, "Initializing daemon mode\n", 25Initializing daemon mode
) = 25
getppid()                               = 13794
fork()                                  = 13796
--- SIGCHLD (Child exited) ---
munmap(0x5001b000, 8192)                = 0
exit(0)                                 = ?

Any hints are welcome,
Hugo.

-- 
Alle email aan mij verzonden is gebonden aan de regels beschreven op
mijn homepage.
All email send to me is bound to the rules described on my homepage.

    Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
    hvdkooij at ...372...		http://hvdkooij.xs4all.nl/

	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.





More information about the Snort-devel mailing list