[Snort-users] Closer to the -D issue
Gene R. Gomez
ggomez at ...677...
Thu Oct 26 18:43:23 EDT 2000
Marty and anyone else who's interested...
I was tinkering around with snort-1.6.3-patch2, and added the -u and -g
flags to my startup script. Instead of running as root, I'm now running as
snort. Here is the resulting /var/log/messages entry regarding that:
Oct 26 15:23:20 fuzzy kernel: snort uses obsolete (PF_INET,SOCK_PACKET)
Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable! =>
Logging Snort PID to log directory (/var/log/snort)
Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
Oct 26 15:23:20 fuzzy snort:
Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
Oct 26 15:23:20 fuzzy snort: snort startup succeeded
Guess what? snort -D is running fine now. The difference appears to be
that linux socket command. When snort-1.6.3-patch2 is running as root on my
Red Hat Linux 7.0 box (libpcap and glibc already updated), the next entry
after it enters promiscuous would be something like:
Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
mentioned before, but it created a 50M portscan.log file which my system
promptly mailed to everyone on my alerts list. :)
Because of that, it's not highly likely that I'll be trying it again soon on
anything but a testing system. ;)
Ok...Marko Jennings! Can you try to verify this on your Red Hat 6.2
platform? It sounded like we were encountering identical issues...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users