[Snort-users] Closer to the -D issue

Gene R. Gomez ggomez at ...677...
Thu Oct 26 18:43:23 EDT 2000


Marty and anyone else who's interested...
I was tinkering around with snort-1.6.3-patch2, and added the -u and -g
flags to my startup script.  Instead of running as root, I'm now running as
snort.  Here is the resulting /var/log/messages entry regarding that:
 
Oct 26 15:23:20 fuzzy kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable! =>
Logging Snort PID to log directory (/var/log/snort) 
Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
Oct 26 15:23:20 fuzzy snort: 
Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
Oct 26 15:23:20 fuzzy snort: snort startup succeeded
 
Guess what?  snort -D is running fine now.  The difference appears to be
that linux socket command.  When snort-1.6.3-patch2 is running as root on my
Red Hat Linux 7.0 box (libpcap and glibc already updated), the next entry
after it enters promiscuous would be something like:
 
Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
 
I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
mentioned before, but it created a 50M portscan.log file which my system
promptly mailed to everyone on my alerts list.  :)
Because of that, it's not highly likely that I'll be trying it again soon on
anything but a testing system.  ;)
Ok...Marko Jennings!  Can you try to verify this on your Red Hat 6.2
platform?  It sounded like we were encountering identical issues...
 
-Gene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001026/97db4e6d/attachment.html>


More information about the Snort-users mailing list