[Snort-users] First time in NIDS mode, and...

Scott, Joshua Joshua.Scott at ...1955...
Wed May 16 12:41:51 EDT 2001


Make sure that either you run Snort from the directory that has all the
rules files and your snort.conf, or make sure that your snort.conf has the
full path to each of your rules files.

-----Original Message-----
From: Oxenreider, Jeff [mailto:jox at ...963...]
Sent: Wednesday, May 16, 2001 7:56 AM
To: 'John Sage'; Snort Users
Subject: RE: [Snort-users] First time in NIDS mode, and...



I've seen this happen to me on occasion, and if I open up the snort.conf
file, in "vi" and then do a "write quit", thereby updating the timestamp on
the file, and rerun snort, it fires right up.  I don't have an explanation
for the action and it hasn't been a burden on me too much and I just chalked
it up to something I was doing wrong so never posted any sort of a bug
report on it.

Bad Jeff, Bad..... 


Jeffrey A. Oxenreider 
Senior Network/Security Engineer 
Safelite Glass Corp 


-----Original Message----- 
From: John Sage [ mailto:jsage at ...2022... <mailto:jsage at ...2022...>
] 
Sent: Wednesday, May 16, 2001 10:27 AM 
To: Snort Users 
Subject: [Snort-users] First time in NIDS mode, and... 


Just got snort on; works great in packet logging mode; now I'm moving on 
to NIDS mode and I'm getting this: 

from logcheck: 
May 16 06:49:42 sparky pppd[10996]: Connect: ppp0 <--> /dev/modem 
: 
May 16 06:49:45 sparky snort: ERROR: Unable to open rules file: webcgi-lib 
: 
May 16 06:49:45 sparky kernel: device ppp0 entered promiscuous mode 
May 16 06:49:45 sparky kernel: device ppp0 left promiscuous mode 

command line (run from the script that sets up ipchains): 

/usr/bin/snort -d -D -l /var/log/snort -h 192.168.1.0/24 -i ppp0 -c 
/usr/local/snort-1.7/snort.conf 

snort.conf is the box-stock one that came with the 1.7 distro. 

Question: 

Why can't it load webcgi-lib? It's there, etc etc.. 

I'm getting no other messages about anything. 

ps ax shows snort running in daemon mode with that command line, and 
there is a zero-length file at  /var/log/snort/portscan.log 

Thnx.. 

- John 

-- 
John Sage 
FinchHaven, Vashon Island, WA, USA 
http://www.finchhaven.com/ <http://www.finchhaven.com/>  
mailto:jsage at ...2022... <mailto:jsage at ...2022...>  
"The web is so, like, five minutes ago..." 


_______________________________________________ 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010516/8b3b7dc2/attachment.html>


More information about the Snort-users mailing list