[Snort-users] snort and ./snarf, install, mild confusion

Mikael Schmidt mikael.schmidt at ...718...
Mon Nov 27 04:30:44 EST 2000


How are you starting snort? are you starting it to run as a different user 
than root? if so, check the ownership of /var/log/snort to make sure that it 
matches whatever user you are starting snort with...


On Saturday 25 November 2000 05:32, curt wrote:
> Bob wrote:
> > Do
> > touch /var/log/snort/snort.alert
> >
> > then try starting Snort again
>
> Hi Bob,
>
> Thanks for the tip.
>
> The above command took.  I then restarted, entered
>
> bash-2.04# ./snortsnarf.pl -rulesdir /etc/snort \
> -rulesfile /etc/snort/snort-lib
> -d /usr/local/httpd/htdocs/snort \
> /var/log/snort/snort.alert \
> /var/log/snort/portscan.log
>
> and it produced the same error on portscan.log.  Being a clever fellow,
> I used the touch command here as well, and now have a portscan.log file.
> I ran the Big Statement listed above and it took with no errors.
> restarted, no evidence of snort.  Here's what top shows:
>
>
>
> 9:18pm  up 4 min,  2 users,  load average: 0.24, 0.45, 0.22
> 55 processes: 52 sleeping, 3 running, 0 zombie, 0 stopped
> CPU states:  6.1% user,  1.5% system,  0.0% nice, 92.2% idle
> Mem:   261668K av,  163056K used,   98612K free,       0K shrd,    9712K
> buff
> Swap:  136544K av,       0K used,  136544K free                   97412K
> cached
>
> PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
> 931 root      17   0 31052  30M 11848 R       0  3.9 11.8   0:19
> mozilla-bin 746 root       8   0 74824  73M  1792 R       0  3.3 28.5  
> 0:06 X 943 root       2   0  1056 1056   876 R       0  0.3  0.4   0:00 top
> 1 root       0   0   196  196   168 S       0  0.0  0.0   0:37 init 2 root 
>      0   0     0    0     0 SW      0  0.0  0.0   0:00 kflushd 3 root      
> 0   0     0    0     0 SW      0  0.0  0.0   0:00 kupdate 4 root       0  
> 0     0    0     0 SW      0  0.0  0.0   0:00 kpiod 5 root       0   0    
> 0    0     0 SW      0  0.0  0.0   0:00 kswapd 6 root       0   0     0   
> 0     0 SW      0  0.0  0.0   0:00 md_thread 9 root       0   0     0    0 
>    0 SW      0  0.0  0.0   0:00 khubd 258 root       0   0   568  568   472
> S       0  0.0  0.2   0:00 syslogd 262 root       0   0   860  860   392 S 
>      0  0.0  0.3   0:00 klogd 494 root       0   0  1200 1200   856 S      
> 0  0.0  0.4   0:00 sendmail 501 root       0   0  1184 1184   792 S       0
>  0.0  0.4   0:00 snmpd 556 root       0   0   616  616   512 S       0  0.0
>  0.2   0:00 cron 565 curt       0   0   668  668   556 S       0  0.0  0.2 
>  0:00 in.identd 566 root       0   0   668  668   556 S       0  0.0  0.2  
> 0:00 in.identd 567 root       0   0   668  668   556 S       0  0.0  0.2  
> 0:00 in.identd 568 root       0   0   668  668   556 S       0  0.0  0.2  
> 0:00 in.identd 582 root       0   0   692  692   568 S       0  0.0  0.2  
> 0:00 nscd 583 root       0   0   692  692   568 S       0  0.0  0.2   0:00
> nscd 584 root       0   0   692  692   568 S       0  0.0  0.2   0:00 nscd
> 585 root       0   0   692  692   568 S       0  0.0  0.2   0:00 nscd 586
> root       0   0   692  692   568 S       0  0.0  0.2   0:00 nscd 587 root 
>      0   0   692  692   568 S       0  0.0  0.2   0:00 nscd 588 root      
> 0   0   692  692   568 S       0  0.0  0.2   0:00 nscd 720 root       0   0
>   436  436   376 S       0  0.0  0.1   0:00 mingetty 721 root       0   0  
> 436  436   376 S       0  0.0  0.1   0:00 mingetty 722 root       0   0  
> 436  436   376 S       0  0.0  0.1   0:00 mingetty 723 root       0   0  
> 436  436   376 S       0  0.0  0.1   0:00 mingetty 724 root       0   0  
> 436  436   376 S       0  0.0  0.1   0:00 mingetty 725 root       0   0  
> 436  436   376 S       0  0.0  0.1   0:00 mingetty 726 root       0   0 
> 2296 2296  2088 S       0  0..0  0.8   0:00 kdm 758 root       0   0  4304
> 4304  3580 S       0  0.0  1.6   0:00 kdm 759 root     -10 -10  2272 2272 
> 1056 S < 0  0.0  0.8   0:00 AgentMon 800 root       0   0  4192 4192  3072
> S       0  0.0  1.6   0:00 kwm 865 root       0   0  2596 2596  1860 S     
>  0  0.0  0.9   0:00
> kaudioserver
> 866 root       0   0  2480 2480  1708 S       0  0.0  0.9   0:00 maudio
> 881 root       0   0  4956 4956  3680 S       0  0.0  1.8   0:00 kfm
> 882 root       0   0  3624 3624  2720 S       0  0.0  1.3   0:00 krootwm
> 885 root       0   0  3416 3416  2508 S       0  0.0  1.3   0:00 kwmsound
> 888 root       0   0  1692 1692  1384 S       0  0.0  0.6   0:00 xconsole
> 889 root       0   0  3684 3684  2768 S       0  0.0  1.4   0:00 kcpuload
> 890 root       0   0  3684 3684  2780 S       0  0.0  1.4   0:00 klipper
> 900 root       0   0  3728 3728  2764 S       0  0.0  1.4   0:00 kbgndwm
> 903 root       0   0  4344 4344  3152 S       0  0.0  1.6   0:00 kpanel
> 911 root       0   0  3972 3972  2948 S       0  0.0  1.5   0:00 kmix
> 924 root       0   0   620  620   504 S       0  0.0  0.2   0:00 dhclient
> 925 root       0   0   976  976   800 S       0  0.0  0.3   0:00 mozilla
> 927 root       0   0  1016 1016   808 S       0  0.0  0.3   0:00
> run-mozilla.
> 932 root       0   0 31052  30M 11848 S       0  0.0 11.8   0:00
> mozilla-bin 933 root       0   0 31052  30M 11848 S       0  0.0 11.8  
> 0:00 mozilla-bin 940 root       0   0 31052  30M 11848 S       0  0.0 11.8 
>  0:00 mozilla-bin 941 root       0   0  1292 1292  1000 S       0  0.0  0.4
>   0:00 wterm 942 root       0   0  1308 1308   980 S       0  0.0  0.4  
> 0:00 bash
>
> Is it running and just less than obvious?
>
> tia,
>
> curt
>
> > At 08:09 PM 11/24/2000 -0800, you wrote:
> >> Hi all,
> >>
> >> 1) My Snort install doesn't seem to be running.  I installed from the
> >> linuxnewbie.org article, and all seemed OK, or at least there were no
> >> explicit errors.
> >>
> >> However, when I (as suggested in the article)
> >>
> >> bash-2.04# ps -ax | grep snort
> >>
> >> the response is:
> >>
> >> 10087 pts/0    S      0:00 grep snort
> >> bash-2.04#
> >>
> >> neither top nor ps show snort running.  Methinks it ain't.  Could
> >> someone kindly clarify?
> >>
> >>
> >> 2) hope this isn't OT, but
> >>
> >> Regarding snortsnarf, I installed from the same linuxnewbie article.
> >>
> >> after extract, I
> >>
> >> bash-2.04# cd SnortSnarf-102700.1
> >> bash-2.04# cd include
> >> bash-2.04# cp ./* /usr/lib/perl5/site_perl/5.005/
> >> bash-2.04# cd /tmp/SnortSnarf-102700.1/cgi
> >> bash-2.04# cp ./* /usr/local/httpd/cgi-bin/
> >> bash-2.04# cd /tmp/SnortSnarf-102700.1
> >> bash-2.04# mkdir /snarf
> >> bash-2.04# cd /tmp/SnortSnarf-102700.1
> >> bash-2.04# cp snortsnarf.pl /snarf
> >> bash-2.04# cd  /snarf
> >> bash-2.04# ./snortsnarf.pl -rulesdir /etc/snort \
> >> -rulesfile /etc/snort/snort-lib
> >> -d /usr/local/httpd/htdocs/snort \
> >> /var/log/snort/snort.alert \
> >> /var/log/snort/portscan.log
> >>
> >> the response to this last command is:
> >>
> >> Couldn't open  input file /var/log/snort/snort.alert
> >>
> >> bash-2.04#
> >>
> >> this is a proper response, as there is no file
> >> /var/log/snort/snort.alert
> >>
> >> What am I missing here?  (god, I hope it's not a typo...)
> >>
> >> big tia,
> >>
> >> curt
> >>
> >> sysinfo:
> >>
> >> Linux 2.2.16
> >> SuSE 7.0
> >> snort 1.3.6
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Mikael Schmidt - mikael.schmidt at ...718...
tfn:	+46(0)46 - 222 47 35
mob:	+46(0)707 - 46 60 56



More information about the Snort-users mailing list