[Snort-users] First time in NIDS mode, and...

Oxenreider, Jeff jox at ...963...
Wed May 16 10:55:37 EDT 2001


I've seen this happen to me on occasion, and if I open up the snort.conf
file, in "vi" and then do a "write quit", thereby updating the timestamp on
the file, and rerun snort, it fires right up.  I don't have an explanation
for the action and it hasn't been a burden on me too much and I just chalked
it up to something I was doing wrong so never posted any sort of a bug
report on it.

Bad Jeff, Bad.....


Jeffrey A. Oxenreider
Senior Network/Security Engineer
Safelite Glass Corp


-----Original Message-----
From: John Sage [mailto:jsage at ...2022...]
Sent: Wednesday, May 16, 2001 10:27 AM
To: Snort Users
Subject: [Snort-users] First time in NIDS mode, and...


Just got snort on; works great in packet logging mode; now I'm moving on 
to NIDS mode and I'm getting this:

from logcheck:
May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem
:
May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: webcgi-lib
:
May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode
May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode

command line (run from the script that sets up ipchains):

/usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c 
/usr/local/snort-1.7/snort.conf

snort.conf is the box-stock one that came with the 1.7 distro.

Question:

Why can't it load webcgi-lib? It's there, etc etc..

I'm getting no other messages about anything.

ps ax shows snort running in daemon mode with that command line, and 
there is a zero-length file at  /var/log/snort/portscan.log

Thnx..

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010516/ff86aa7a/attachment.html>


More information about the Snort-users mailing list