[Snort-users] the most cryptic fsck'ing thing...

John Sage jsage at ...2022...
Sat May 19 14:22:04 EDT 2001

At the risk of seeming like a total idiot (at this point I don't care ;-)

Snort has got to be the most cryptic fsck'ing thing to get running I've 
ever seen!

Using this command line in /etc/rc.d/rc.firewall.strong (which runs when 
ppp0 comes up):

/usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf

and *only* this in /usr/local/snort-1.7/snort.conf:
(there's no fancy stuff... they're all commented out)


and *only* my local rules:

# local rules
include /usr/local/snort-1.7/tcp-local-lib
include /usr/local/snort-1.7/udp-local-lib
include /usr/local/snort-1.7/icmp-local-lib

Which have the same permissions as everything else, and which are 
nothing more than:

log tcp any any -> $HOME_NET any (msg:"TCP packet";)

log udp any any -> $HOME_NET any (msg:"UDP packet";)

log icmp any any -> $HOME_NET any (msg:"ICMP packet";)

(which I *think* should log *everything*...)

OK: So, I dial up, and the firewall comes up, and from ps ax I get:

26905 ?  S  0:00 /usr/bin/snort -b -D -i ppp0 -c 

and this, brand new, in /var/log/snort,

[root at ...2057... /var/log/snort]# ls -lat
total 10
drwxr-xr-x    2 root     root         1024 May 19 10:48 .
-rw-------    1 root     root            0 May 19 10:48 alert
-rw-------    1 root     root            0 May 19 10:48 snort-0519 at ...2058...

and nothing ever gets logged or written here, no matter what kind of 
packets come in or how long I wait.

So, when I add to snort.conf:

output log_tcpdump: /var/log/snort/snort.tcpdump

Which is *exactly* what is in the FAQ, I get:

May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such 
file or

What's that all about?

Is that why nothing's logging? (OK: well, duh..)

So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file or
directory" and why do I *have* to fix it, when this was just a plain 
vanilla, box-stock install right from the instructions in INSTALL?

Finally, how can I dump the current active variables?

Is there something like "echo $HOME_NET"?

Thanks loads,

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

More information about the Snort-users mailing list