[Snort-users] Closer to the -D issue

DmuZ DmuZ at ...324...
Wed Nov 1 13:31:00 EST 2000


Sorry if this has been resolved or already covered...

I am using snort-1.6.3-patch2 on a redhat 6.2 system. I have noticed two
issues since I upgraded from snort-1.6.3.

1. snort does not appear to stay in promiscuous mode after starting

2. the pid file (snort_eth0.pid) now gets placed in the same dir as the bash
start/stop script I use instead of /var/run

FYI my command line is: snort -D -c /var/lib/snort/rules -l
/var/log/snort -o -d

Any idea on causes/solutions?

Thanks,

DmuZ


----- Original Message -----
From: Marko Jennings <marko at ...303...>
To: Gene R. Gomez <ggomez at ...677...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 26, 2000 6:28 PM
Subject: Re: [Snort-users] Closer to the -D issue


| I got the same results as Gene:
|
| Oct 26 22:16:35 usdtwids0001 kernel: eth0: Setting promiscuous mode.
| Oct 26 22:16:35 usdtwids0001 snort: [?] NOTICE: _PATH_VARRUN is
| unavailable!    => Logging Snort PID to log directory
| (/usr/local/snort/logs)
| Oct 26 22:16:35 usdtwids0001 snort: linux socket: Operation not
| permitted
| Oct 26 22:16:35 usdtwids0001 snort:
| Oct 26 22:16:35 usdtwids0001 snort: Initializing Network Interface...
| Oct 26 22:16:35 usdtwids0001 snort: Rule application order changed to
| Pass->Alert->Log
| Oct 26 22:16:35 usdtwids0001 snort: Initializing daemon mode
| Oct 26 22:16:35 usdtwids0001 snort.new: Starting NIDS succeeded
|
|
| However, right now, I have no way of testing if it is working correctly
| or not (with the -D flag, it used to only see its own traffic).  I
| assume that the fact that the message about leaving the promisucous mode
| means it's OK, but I'll need to see it with my own eyes.
|
| Could someone please tell me what the "_PATH_VARRUN" and "Operation not
| permitted" messages mean and whether I need to do something about them
| or not?
|
| Thank you all.
|
| Marko Jennings
|
|
| > "Gene R. Gomez" wrote:
| >
| > Marty and anyone else who's interested...
| > I was tinkering around with snort-1.6.3-patch2, and added the -u and
| > -g flags to my startup script.  Instead of running as root, I'm now
| > running as snort.  Here is the resulting /var/log/messages entry
| > regarding that:
| >
| > Oct 26 15:23:20 fuzzy kernel: snort uses obsolete
| > (PF_INET,SOCK_PACKET)
| > Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
| > Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
| > Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable!
| > => Logging Snort PID to log directory (/var/log/snort)
| > Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
| > Oct 26 15:23:20 fuzzy snort:
| > Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
| > Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
| > Oct 26 15:23:20 fuzzy snort: snort startup succeeded
| >
| > Guess what?  snort -D is running fine now.  The difference appears to
| > be that linux socket command.  When snort-1.6.3-patch2 is running as
| > root on my Red Hat Linux 7.0 box (libpcap and glibc already updated),
| > the next entry after it enters promiscuous would be something like:
| >
| > Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
| >
| > I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
| > mentioned before, but it created a 50M portscan.log file which my
| > system promptly mailed to everyone on my alerts list.  :)
| > Because of that, it's not highly likely that I'll be trying it again
| > soon on anything but a testing system.  ;)
| > Ok...Marko Jennings!  Can you try to verify this on your Red Hat 6.2
| > platform?  It sounded like we were encountering identical issues...
| >
| > -Gene
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| http://lists.sourceforge.net/mailman/listinfo/snort-users
|




More information about the Snort-users mailing list