[Snort-users] Closer to the -D issue
DmuZ at ...324...
Wed Nov 1 13:31:00 EST 2000
Sorry if this has been resolved or already covered...
I am using snort-1.6.3-patch2 on a redhat 6.2 system. I have noticed two
issues since I upgraded from snort-1.6.3.
1. snort does not appear to stay in promiscuous mode after starting
2. the pid file (snort_eth0.pid) now gets placed in the same dir as the bash
start/stop script I use instead of /var/run
FYI my command line is: snort -D -c /var/lib/snort/rules -l
/var/log/snort -o -d
Any idea on causes/solutions?
----- Original Message -----
From: Marko Jennings <marko at ...303...>
To: Gene R. Gomez <ggomez at ...677...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 26, 2000 6:28 PM
Subject: Re: [Snort-users] Closer to the -D issue
| I got the same results as Gene:
| Oct 26 22:16:35 usdtwids0001 kernel: eth0: Setting promiscuous mode.
| Oct 26 22:16:35 usdtwids0001 snort: [?] NOTICE: _PATH_VARRUN is
| unavailable! => Logging Snort PID to log directory
| Oct 26 22:16:35 usdtwids0001 snort: linux socket: Operation not
| Oct 26 22:16:35 usdtwids0001 snort:
| Oct 26 22:16:35 usdtwids0001 snort: Initializing Network Interface...
| Oct 26 22:16:35 usdtwids0001 snort: Rule application order changed to
| Oct 26 22:16:35 usdtwids0001 snort: Initializing daemon mode
| Oct 26 22:16:35 usdtwids0001 snort.new: Starting NIDS succeeded
| However, right now, I have no way of testing if it is working correctly
| or not (with the -D flag, it used to only see its own traffic). I
| assume that the fact that the message about leaving the promisucous mode
| means it's OK, but I'll need to see it with my own eyes.
| Could someone please tell me what the "_PATH_VARRUN" and "Operation not
| permitted" messages mean and whether I need to do something about them
| or not?
| Thank you all.
| Marko Jennings
| > "Gene R. Gomez" wrote:
| > Marty and anyone else who's interested...
| > I was tinkering around with snort-1.6.3-patch2, and added the -u and
| > -g flags to my startup script. Instead of running as root, I'm now
| > running as snort. Here is the resulting /var/log/messages entry
| > regarding that:
| > Oct 26 15:23:20 fuzzy kernel: snort uses obsolete
| > (PF_INET,SOCK_PACKET)
| > Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
| > Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
| > Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable!
| > => Logging Snort PID to log directory (/var/log/snort)
| > Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
| > Oct 26 15:23:20 fuzzy snort:
| > Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
| > Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
| > Oct 26 15:23:20 fuzzy snort: snort startup succeeded
| > Guess what? snort -D is running fine now. The difference appears to
| > be that linux socket command. When snort-1.6.3-patch2 is running as
| > root on my Red Hat Linux 7.0 box (libpcap and glibc already updated),
| > the next entry after it enters promiscuous would be something like:
| > Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
| > I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
| > mentioned before, but it created a 50M portscan.log file which my
| > system promptly mailed to everyone on my alerts list. :)
| > Because of that, it's not highly likely that I'll be trying it again
| > soon on anything but a testing system. ;)
| > Ok...Marko Jennings! Can you try to verify this on your Red Hat 6.2
| > platform? It sounded like we were encountering identical issues...
| > -Gene
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
More information about the Snort-users