[Snort-users] Re: Difficulties with -D
Gene R. Gomez
ggomez at ...677...
Tue Oct 24 15:02:18 EDT 2000
Snort continues to run with -D, it just isn't doing so in promiscuous mode.
Even odder is that I've found if I stop snort, run it interactively, then
start snort with -D (while the interactive snort is running), somehow it
stays in promiscuous mode.
I was using snort-1.6.3 (non patch2) for a while before this; I moved to
patch2 because 1.6.3 would run for 5-10 minutes at a time and just stop
(probably due to a permissions error when it attempted to log an entry); it
didn't exhibit this behavior (dropping promiscuous mode).
I'm probably going to regret saying this, but I'm attempting to run snort on
a RHLinux7.0 machine; so it could possibly be attributed to a new, untested,
KNOWN-BUGGY OS. However, I'm not running libpcap from the RH distro (which
I'm well aware that many claim is broken), and my RHLinux install is pretty
stripped down (during custom install I specified to only install Networking,
Development Tools, and Utilities).
I was, however, hoping that others had the same experience, and would be
able to confirm to me that moving to another machine platform would help.
Regardless, since I posted this message, I've got a workable solution. It
just requires an admin at the console while the service is starting so that
they can start up, stop, and start the service again. ;)
From: Fyodor [mailto:fygrave at ...121...]
Sent: Tuesday, October 24, 2000 4:08 AM
To: Gene R. Gomez
Subject: Re: [Snort-users] difficulties with -D
but is snort actually running after promisc mode is dropped or it dies off
On Mon, Oct 23, 2000 at 09:14:05AM -0700, Gene R. Gomez wrote:
> Hey folks,
> I'm using snort-1.6.3-patch2, and having problems with -D. Essentially,
> when I explicitly start snort without the -D option, everything works
> however, if I specify -D, /var/log/messages reflects that eth0 is entering
> promiscuous mode, then IMMEDIATELY dropping out. I've noticed that, when
> run snort from the command line, as soon as I exit snort it looks like the
> timing is turning off promiscuous right away, but the entry for leaving
> promiscuous doesn't pop up in the logs until I exit the application;
> however, while the -D version of snort is running, the entry is made
> immediately into the log, and snort isn't picking up traffic.
> I've tried just using & at the end of the command to start it up
> semi-interactively and then push it to the background, but snort halts
> I do this.
> Any ideas what I'm doing wrong?
There once was a couple named Kelley,
Who lived their life belly to belly.
Because in their haste
They used Library Paste,
Instead of Petroleum Jelly.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users