[Snort-users] Closer to the -D issue

Marko Jennings marko at ...303...
Thu Oct 26 22:28:19 EDT 2000


I got the same results as Gene:

Oct 26 22:16:35 usdtwids0001 kernel: eth0: Setting promiscuous mode.
Oct 26 22:16:35 usdtwids0001 snort: [?] NOTICE: _PATH_VARRUN is
unavailable!    => Logging Snort PID to log directory
(/usr/local/snort/logs)
Oct 26 22:16:35 usdtwids0001 snort: linux socket: Operation not
permitted
Oct 26 22:16:35 usdtwids0001 snort:
Oct 26 22:16:35 usdtwids0001 snort: Initializing Network Interface...
Oct 26 22:16:35 usdtwids0001 snort: Rule application order changed to
Pass->Alert->Log
Oct 26 22:16:35 usdtwids0001 snort: Initializing daemon mode
Oct 26 22:16:35 usdtwids0001 snort.new: Starting NIDS succeeded


However, right now, I have no way of testing if it is working correctly
or not (with the -D flag, it used to only see its own traffic).  I
assume that the fact that the message about leaving the promisucous mode
means it's OK, but I'll need to see it with my own eyes.

Could someone please tell me what the "_PATH_VARRUN" and "Operation not
permitted" messages mean and whether I need to do something about them
or not?

Thank you all.

Marko Jennings


> "Gene R. Gomez" wrote:
> 
> Marty and anyone else who's interested...
> I was tinkering around with snort-1.6.3-patch2, and added the -u and
> -g flags to my startup script.  Instead of running as root, I'm now
> running as snort.  Here is the resulting /var/log/messages entry
> regarding that:
> 
> Oct 26 15:23:20 fuzzy kernel: snort uses obsolete
> (PF_INET,SOCK_PACKET)
> Oct 26 15:23:20 fuzzy kernel: eth0: Setting promiscuous mode.
> Oct 26 15:23:20 fuzzy kernel: device eth0 entered promiscuous mode
> Oct 26 15:23:20 fuzzy snort: [?] NOTICE: _PATH_VARRUN is unavailable!
> => Logging Snort PID to log directory (/var/log/snort)
> Oct 26 15:23:20 fuzzy snort: linux socket: Operation not permitted
> Oct 26 15:23:20 fuzzy snort:
> Oct 26 15:23:20 fuzzy snort: Initializing Network Interface...
> Oct 26 15:23:20 fuzzy snort: Initializing daemon mode
> Oct 26 15:23:20 fuzzy snort: snort startup succeeded
> 
> Guess what?  snort -D is running fine now.  The difference appears to
> be that linux socket command.  When snort-1.6.3-patch2 is running as
> root on my Red Hat Linux 7.0 box (libpcap and glibc already updated),
> the next entry after it enters promiscuous would be something like:
> 
> Oct 26 15:23:20 fuzzy kernel: device eth0 leaving promiscuous mode
> 
> I did compile snort-1.6.3-patch2 using the -DDEBUG specification you
> mentioned before, but it created a 50M portscan.log file which my
> system promptly mailed to everyone on my alerts list.  :)
> Because of that, it's not highly likely that I'll be trying it again
> soon on anything but a testing system.  ;)
> Ok...Marko Jennings!  Can you try to verify this on your Red Hat 6.2
> platform?  It sounded like we were encountering identical issues...
> 
> -Gene



More information about the Snort-users mailing list