[Snort-users] the most cryptic fsck'ing thing...

John Sage jsage at ...2022...
Sun May 20 22:33:45 EDT 2001


Fyodor:

In a word, yes, /var/log/snort is there..

Actually, snort works great looking at eth0. It sees my rules, etc etc..

There seem to be issues with ppp0, although, here's a snip from the 
snort archives from just last month.

This is the end of the thread:

 > From: centipede (centiped at ...1832...)
 > Date: Wed Apr 18 2001 - 16:46:04 CDT

>
> Hi,
> 
> things are going on, slowly but still.
> I've built the new snort 1.8 beta 2 , and used the --enable-debug option.
> It seems that things are going all quite good, and $ppp0_ADDRESS is assiged
> my.ip.my.ip/255.255.255.255 .
> The progress I've had it when running snort regularly, not as a daemon.
> it worked ! running it as daemon seems to be my problem so meanwhile
> I'm gonna
> use it regularly,
> i.e. snort -bla -bla -bla & >/dev/null
> or something.
> any suggestion why could the -D be the problem ?
> Is there a better way to run it otherwise than I've mentioned ?
> 
> thanks.
> centipede.
> 
> Fyodor wrote:
> 
>> On Sun, Apr 15, 2001 at 08:09:45PM +0300, centipede wrote:
<snip>

So presently I'm going to put on the latest libpcap and --what?-- the 
1.8 beta of snort and see what happens..

Thanks for your response; sorry my post was so cranky...

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

Fyodor wrote:

> does your /var/log/snort/ directory exist?
> 
> On Sat, May 19, 2001 at 11:22:04AM -0700, John Sage wrote:
> 
>> At the risk of seeming like a total idiot (at this point I don't care ;-)
>> 
>> Snort has got to be the most cryptic fsck'ing thing to get running I've 
>> ever seen!
>> 
>> Using this command line in /etc/rc.d/rc.firewall.strong (which runs when 
>> ppp0 comes up):
>> 
>> /usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf
>> 
>> and *only* this in /usr/local/snort-1.7/snort.conf:
>> (there's no fancy stuff... they're all commented out)
>> 
>> #
>> var HOME_NET 192.168.1.0/24
>> 
>> and *only* my local rules:
>> 
>> # local rules
>> include /usr/local/snort-1.7/tcp-local-lib
>> include /usr/local/snort-1.7/udp-local-lib
>> include /usr/local/snort-1.7/icmp-local-lib
>> 
>> Which have the same permissions as everything else, and which are 
>> nothing more than:
>> 
>> 
>> log tcp any any -> $HOME_NET any (msg:"TCP packet";)
>> 
>> log udp any any -> $HOME_NET any (msg:"UDP packet";)
>> 
>> log icmp any any -> $HOME_NET any (msg:"ICMP packet";)
>> 
>> 
>> (which I *think* should log *everything*...)
>> 
>> 
>> OK: So, I dial up, and the firewall comes up, and from ps ax I get:
>> 
>> 26905 ?  S  0:00 /usr/bin/snort -b -D -i ppp0 -c 
>> /usr/local/snort-1.7/snort.conf
>> 
>> and this, brand new, in /var/log/snort,
>> 
>> [root at ...2057... /var/log/snort]# ls -lat
>> total 10
>> drwxr-xr-x    2 root     root         1024 May 19 10:48 .
>> -rw-------    1 root     root            0 May 19 10:48 alert
>> -rw-------    1 root     root            0 May 19 10:48 snort-0519 at ...2058...
>> 
>> and nothing ever gets logged or written here, no matter what kind of 
>> packets come in or how long I wait.
>> 
>> So, when I add to snort.conf:
>> 
>> #
>> output log_tcpdump: /var/log/snort/snort.tcpdump
>> 
>> Which is *exactly* what is in the FAQ, I get:
>> 
>> May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such 
>> file or
>> directory
>> 
>> What's that all about?
>> 
>> Is that why nothing's logging? (OK: well, duh..)
>> 
>> So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file or
>> directory" and why do I *have* to fix it, when this was just a plain 
>> vanilla, box-stock install right from the instructions in INSTALL?
>> 
>> Finally, how can I dump the current active variables?
>> 
>> Is there something like "echo $HOME_NET"?
>> 
>> Thanks loads,
>> 
>> - John





More information about the Snort-users mailing list