[Snort-users] RE: -D run error

Martin Roesch roesch at ...421...
Tue Oct 24 18:49:10 EDT 2000


Hmm, interesting.  Testing out the daemon mode code hasn't really been my area
to this point, but it looks like it's warranted currently.  I'll fire up my
redhat box and see if it has problems there.

Another thing you could try is compiling in DEBUG mode and seeing what Snort
says.  To do this, go into the Makefile and add -DDEBUG to the end of the DEFS
line.

I've got to get my Jaz drive fired up so I can try booting more variation of
OS's on my dev platforms...

> PS- Great job at SANS Marty.. I really enjoyed your lectures... Glad you got
> the TCP Flags in order now :)

Hehe, thanks.  People have been asking me that one for a while.  I think
people fail to realize that Snort is largely written between 11PM and 3AM, so
sometimes things like that happen. :)

   -Marty

Tom Moore wrote:
> 
> I've had the exact same problem with a compiled snort on Debian linux.
>  The -D option causes the run to bomb out immediately, with the error:
> 
> snort -D -S HOME_NET=my.net.0.0/16 -h my.net.0.0/16 -c
> /etc/snort/snort-lib -t /var/log/snort -u snort -g snort -s -i -eth0
> 
> Initializing Network Interface...
> linux socket: Operation not permitted
> 
> Running strace shows:
> 
> [!] ERROR: Can not get write to logging directory /var/log/snort.
> (directory doesn't exist or permissions are set incorrectly)
> 
> I assumed that the process running as snort was having problems writing to
> the snort log dir, so I made sure it was owned by snort and +rw.  This still
> didn't seem to solve the problem.
> 
> There was also a stat to /etc/group that returned ENOENT, but there does
> exist a /etc/group file, so I'm not sure what the problem is.
> 
> FWIW, the debian woody code 1.6.3 binary out of the pkg tree works fine, I
> just wanted to compile my own binary to use the flexresp options.
> 
> PS- Great job at SANS Marty.. I really enjoyed your lectures... Glad you got
> the TCP Flags in order now :)
> 
> ---
> Tom Moore
> Duke University
> tom at ...679...
> 
> >Message: 7
> >From: "Gene R. Gomez" <ggomez at ...677...>
> >To: "'snort-users at lists.sourceforge.net'"
> <snort-users at lists.sourceforge.net>
> >Date: Mon, 23 Oct 2000 09:14:05 -0700
> >boundary="----_=_NextPart_001_01C03D0C.48C4BAF0"
> >Subject: [Snort-users] difficulties with -D
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C03D0C.48C4BAF0
> Content-Type: text/plain;
>         charset="iso-8859-1"
> 
> Hey folks,
> I'm using snort-1.6.3-patch2, and having problems with -D.  Essentially,
> when I explicitly start snort without the -D option, everything works fine;
> however, if I specify -D, /var/log/messages reflects that eth0 is entering
> promiscuous mode, then IMMEDIATELY dropping out.  I've noticed that, when I
> run snort from the command line, as soon as I exit snort it looks like the
> timing is turning off promiscuous right away, but the entry for leaving
> promiscuous doesn't pop up in the logs until I exit the application;
> however, while the -D version of snort is running, the entry is made
> immediately into the log, and snort isn't picking up traffic.
> I've tried just using & at the end of the command to start it up
> semi-interactively and then push it to the background, but snort halts when
> I do this.
> Any ideas what I'm doing wrong?
> 
> -Gene
> 
> ------_=_NextPart_001_01C03D0C.48C4BAF0
> Content-Type: text/html;
>         charset="iso-8859-1"
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
> 
> <META content="MSHTML 5.50.4207.2601" name=GENERATOR></HEAD>
> <BODY>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>Hey
> folks,</FONT></SPAN></DIV>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>I'm using
> snort-1.6.3-patch2, and having problems with -D.  Essentially, when I
> explicitly start snort without the -D option, everything works fine;
> however, if
> I specify -D, /var/log/messages reflects that eth0 is entering promiscuous
> mode,
> then IMMEDIATELY dropping out.  I've noticed that, when I run snort
> from
> the command line, as soon as I exit snort it looks like the timing is
> turning
> off promiscuous right away, but the entry for leaving promiscuous doesn't
> pop up
> in the logs until I exit the application; however, while the -D version of
> snort
> is running, the entry is made immediately into the log, and snort isn't
> picking
> up traffic.</FONT></SPAN></DIV>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>I've tried just
> using & at the end of the command to start it up semi-interactively and
> then
> push it to the background, but snort halts when I do
> this.</FONT></SPAN></DIV>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial size=2>Any ideas what
> I'm
> doing wrong?</FONT></SPAN></DIV>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial
> size=2></FONT></SPAN> </DIV>
> <DIV><SPAN class=045130316-23102000><FONT face=Arial
> size=2>-Gene</FONT></SPAN></DIV></BODY></HTML>
> 
> ------_=_NextPart_001_01C03D0C.48C4BAF0--
> 
> --__--__--
> 
> Message: 8
> Date: Mon, 23 Oct 2000 12:22:10 -0400
> From: Martin Roesch <roesch at ...421...>
> Organization: Martyworld
> To: Fabio Bastiglia Oliva <fboliva at ...674...>
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Something Strange?!
> 
> You compiled with pthreads?  I wouldn't do that... :)
> 
> You might want to compile it up in debug mode (add a -DDEBUG to the end of
> the
> DEFS line in the Makefile) and see what it says.
> 
>     -Marty
> 
> Fabio Bastiglia Oliva wrote:
> >
> > Hi guys,
> >
> >         There's something really strange here... I'm running Slackware
> > 7.1, Snort 1.6.3-p2, Libnet 1.0, Libpcap 0.4. Snort compiled with
> > pthreads and flexresp. But... When I run snort, it dies without any
> > error message.
> >         Someone here got the same problem?
> >
> > Best regards
> > ________________________
> > Fabio Bastiglia Oliva
> > fboliva at ...674...
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> --__--__--
> 
> Message: 9
> Date: Mon, 23 Oct 2000 12:27:22 -0400
> From: Martin Roesch <roesch at ...421...>
> Organization: Martyworld
> To: Mark Scott <mscott at ...655...>
> CC: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort log file
> 
> Not right now, but that feature is coming.  There's a new feature in the
> upcoming version 1.7 called "dynamic rules".  It allows you to specify a
> rule
> that can turn on other rules.  This is not connection specific, however
> (i.e.
> the rule that is turned on has it's own rule header and there's no way to
> communicate the specific connection properties at this point).  I'm planning
> on implementing something like a "collect" keyword that will allow alerts
> that
> go off to specify that all traffic that is *part of that specific
> connection*
> be collected.  That may or may not get implemented in version 1.7...
> 
> If you want to check out dynamic rules, they're in the version that's in CVS
> right now.
> 
>      -Marty
> 
> Mark Scott wrote:
> >
> > Hi,
> >
> > What are most of you doing if you get a snort alert and want to look at
> the
> > normal packets around the alert? Is it possible to configure snort to
> > capture all packet traffic for a period of time and not just the packets
> > that set off a rule?
> >
> > Thanks,
> >
> > Mark
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> End of Snort-users Digest_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list