[Snort-users] the most cryptic fsck'ing thing...
jsage at ...2022...
Sat May 19 14:22:04 EDT 2001
At the risk of seeming like a total idiot (at this point I don't care ;-)
Snort has got to be the most cryptic fsck'ing thing to get running I've
Using this command line in /etc/rc.d/rc.firewall.strong (which runs when
ppp0 comes up):
/usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf
and *only* this in /usr/local/snort-1.7/snort.conf:
(there's no fancy stuff... they're all commented out)
var HOME_NET 192.168.1.0/24
and *only* my local rules:
# local rules
Which have the same permissions as everything else, and which are
nothing more than:
log tcp any any -> $HOME_NET any (msg:"TCP packet";)
log udp any any -> $HOME_NET any (msg:"UDP packet";)
log icmp any any -> $HOME_NET any (msg:"ICMP packet";)
(which I *think* should log *everything*...)
OK: So, I dial up, and the firewall comes up, and from ps ax I get:
26905 ? S 0:00 /usr/bin/snort -b -D -i ppp0 -c
and this, brand new, in /var/log/snort,
[root at ...2057... /var/log/snort]# ls -lat
drwxr-xr-x 2 root root 1024 May 19 10:48 .
-rw------- 1 root root 0 May 19 10:48 alert
-rw------- 1 root root 0 May 19 10:48 snort-0519 at ...2058...
and nothing ever gets logged or written here, no matter what kind of
packets come in or how long I wait.
So, when I add to snort.conf:
output log_tcpdump: /var/log/snort/snort.tcpdump
Which is *exactly* what is in the FAQ, I get:
May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such
What's that all about?
Is that why nothing's logging? (OK: well, duh..)
So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file or
directory" and why do I *have* to fix it, when this was just a plain
vanilla, box-stock install right from the instructions in INSTALL?
Finally, how can I dump the current active variables?
Is there something like "echo $HOME_NET"?
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
More information about the Snort-users