[Snort-users] RE: -D run error

Tom Moore tom at ...679...
Mon Oct 23 15:36:25 EDT 2000


I've had the exact same problem with a compiled snort on Debian linux.
 The -D option causes the run to bomb out immediately, with the error:

snort -D -S HOME_NET=my.net.0.0/16 -h my.net.0.0/16 -c
/etc/snort/snort-lib -t /var/log/snort -u snort -g snort -s -i -eth0

Initializing Network Interface...
linux socket: Operation not permitted

Running strace shows:

[!] ERROR: Can not get write to logging directory /var/log/snort.
(directory doesn't exist or permissions are set incorrectly)

I assumed that the process running as snort was having problems writing to
the snort log dir, so I made sure it was owned by snort and +rw.  This still
didn't seem to solve the problem.

There was also a stat to /etc/group that returned ENOENT, but there does
exist a /etc/group file, so I'm not sure what the problem is.

FWIW, the debian woody code 1.6.3 binary out of the pkg tree works fine, I
just wanted to compile my own binary to use the flexresp options.

PS- Great job at SANS Marty.. I really enjoyed your lectures... Glad you got
the TCP Flags in order now :)

---
Tom Moore
Duke University
tom at ...679...




>Message: 7
>From: "Gene R. Gomez" <ggomez at ...677...>
>To: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
>Date: Mon, 23 Oct 2000 09:14:05 -0700
>boundary="----_=_NextPart_001_01C03D0C.48C4BAF0"
>Subject: [Snort-users] difficulties with -D

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C03D0C.48C4BAF0
Content-Type: text/plain;
	charset="iso-8859-1"

Hey folks,
I'm using snort-1.6.3-patch2, and having problems with -D.  Essentially,
when I explicitly start snort without the -D option, everything works fine;
however, if I specify -D, /var/log/messages reflects that eth0 is entering
promiscuous mode, then IMMEDIATELY dropping out.  I've noticed that, when I
run snort from the command line, as soon as I exit snort it looks like the
timing is turning off promiscuous right away, but the entry for leaving
promiscuous doesn't pop up in the logs until I exit the application;
however, while the -D version of snort is running, the entry is made
immediately into the log, and snort isn't picking up traffic.
I've tried just using & at the end of the command to start it up
semi-interactively and then push it to the background, but snort halts when
I do this.
Any ideas what I'm doing wrong?

-Gene

------_=_NextPart_001_01C03D0C.48C4BAF0
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.50.4207.2601" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>Hey
folks,</FONT></SPAN></DIV>
<DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>I'm using
snort-1.6.3-patch2, and having problems with -D.  Essentially, when I
explicitly start snort without the -D option, everything works fine;
however, if
I specify -D, /var/log/messages reflects that eth0 is entering promiscuous
mode,
then IMMEDIATELY dropping out.  I've noticed that, when I run snort
from
the command line, as soon as I exit snort it looks like the timing is
turning
off promiscuous right away, but the entry for leaving promiscuous doesn't
pop up
in the logs until I exit the application; however, while the -D version of
snort
is running, the entry is made immediately into the log, and snort isn't
picking
up traffic.</FONT></SPAN></DIV>
<DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>I've tried just
using & at the end of the command to start it up semi-interactively and
then
push it to the background, but snort halts when I do
this.</FONT></SPAN></DIV>
<DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>Any ideas what
I'm
doing wrong?</FONT></SPAN></DIV>
<DIV><SPAN class=045130316-23102000><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=045130316-23102000><FONT face=Arial
size=2>-Gene</FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C03D0C.48C4BAF0--

--__--__--

Message: 8
Date: Mon, 23 Oct 2000 12:22:10 -0400
From: Martin Roesch <roesch at ...421...>
Organization: Martyworld
To: Fabio Bastiglia Oliva <fboliva at ...674...>
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Something Strange?!

You compiled with pthreads?  I wouldn't do that... :)

You might want to compile it up in debug mode (add a -DDEBUG to the end of
the
DEFS line in the Makefile) and see what it says.

    -Marty

Fabio Bastiglia Oliva wrote:
>
> Hi guys,
>
>         There's something really strange here... I'm running Slackware
> 7.1, Snort 1.6.3-p2, Libnet 1.0, Libpcap 0.4. Snort compiled with
> pthreads and flexresp. But... When I run snort, it dies without any
> error message.
>         Someone here got the same problem?
>
> Best regards
> ________________________
> Fabio Bastiglia Oliva
> fboliva at ...674...

--
Martin Roesch
roesch at ...421...
http://www.snort.org

--__--__--

Message: 9
Date: Mon, 23 Oct 2000 12:27:22 -0400
From: Martin Roesch <roesch at ...421...>
Organization: Martyworld
To: Mark Scott <mscott at ...655...>
CC: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort log file

Not right now, but that feature is coming.  There's a new feature in the
upcoming version 1.7 called "dynamic rules".  It allows you to specify a
rule
that can turn on other rules.  This is not connection specific, however
(i.e.
the rule that is turned on has it's own rule header and there's no way to
communicate the specific connection properties at this point).  I'm planning
on implementing something like a "collect" keyword that will allow alerts
that
go off to specify that all traffic that is *part of that specific
connection*
be collected.  That may or may not get implemented in version 1.7...


If you want to check out dynamic rules, they're in the version that's in CVS
right now.


     -Marty

Mark Scott wrote:
>
> Hi,
>
> What are most of you doing if you get a snort alert and want to look at
the
> normal packets around the alert? Is it possible to configure snort to
> capture all packet traffic for a period of time and not just the packets
> that set off a rule?
>
> Thanks,
>
> Mark
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org


--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users


End of Snort-users Digest_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list