[Snort-users] the most cryptic fsck'ing thing...
jsage at ...2022...
Sun May 20 22:33:45 EDT 2001
In a word, yes, /var/log/snort is there..
Actually, snort works great looking at eth0. It sees my rules, etc etc..
There seem to be issues with ppp0, although, here's a snip from the
snort archives from just last month.
This is the end of the thread:
> From: centipede (centiped at ...1832...)
> Date: Wed Apr 18 2001 - 16:46:04 CDT
> things are going on, slowly but still.
> I've built the new snort 1.8 beta 2 , and used the --enable-debug option.
> It seems that things are going all quite good, and $ppp0_ADDRESS is assiged
> my.ip.my.ip/255.255.255.255 .
> The progress I've had it when running snort regularly, not as a daemon.
> it worked ! running it as daemon seems to be my problem so meanwhile
> I'm gonna
> use it regularly,
> i.e. snort -bla -bla -bla & >/dev/null
> or something.
> any suggestion why could the -D be the problem ?
> Is there a better way to run it otherwise than I've mentioned ?
> Fyodor wrote:
>> On Sun, Apr 15, 2001 at 08:09:45PM +0300, centipede wrote:
So presently I'm going to put on the latest libpcap and --what?-- the
1.8 beta of snort and see what happens..
Thanks for your response; sorry my post was so cranky...
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
> does your /var/log/snort/ directory exist?
> On Sat, May 19, 2001 at 11:22:04AM -0700, John Sage wrote:
>> At the risk of seeming like a total idiot (at this point I don't care ;-)
>> Snort has got to be the most cryptic fsck'ing thing to get running I've
>> ever seen!
>> Using this command line in /etc/rc.d/rc.firewall.strong (which runs when
>> ppp0 comes up):
>> /usr/bin/snort -b -D -i ppp0 -c /usr/local/snort-1.7/snort.conf
>> and *only* this in /usr/local/snort-1.7/snort.conf:
>> (there's no fancy stuff... they're all commented out)
>> var HOME_NET 192.168.1.0/24
>> and *only* my local rules:
>> # local rules
>> include /usr/local/snort-1.7/tcp-local-lib
>> include /usr/local/snort-1.7/udp-local-lib
>> include /usr/local/snort-1.7/icmp-local-lib
>> Which have the same permissions as everything else, and which are
>> nothing more than:
>> log tcp any any -> $HOME_NET any (msg:"TCP packet";)
>> log udp any any -> $HOME_NET any (msg:"UDP packet";)
>> log icmp any any -> $HOME_NET any (msg:"ICMP packet";)
>> (which I *think* should log *everything*...)
>> OK: So, I dial up, and the firewall comes up, and from ps ax I get:
>> 26905 ? S 0:00 /usr/bin/snort -b -D -i ppp0 -c
>> and this, brand new, in /var/log/snort,
>> [root at ...2057... /var/log/snort]# ls -lat
>> total 10
>> drwxr-xr-x 2 root root 1024 May 19 10:48 .
>> -rw------- 1 root root 0 May 19 10:48 alert
>> -rw------- 1 root root 0 May 19 10:48 snort-0519 at ...2058...
>> and nothing ever gets logged or written here, no matter what kind of
>> packets come in or how long I wait.
>> So, when I add to snort.conf:
>> output log_tcpdump: /var/log/snort/snort.tcpdump
>> Which is *exactly* what is in the FAQ, I get:
>> May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such
>> file or
>> What's that all about?
>> Is that why nothing's logging? (OK: well, duh..)
>> So, how do I fix "log_tcpdump TcpdumpInitLogFile(): No such file or
>> directory" and why do I *have* to fix it, when this was just a plain
>> vanilla, box-stock install right from the instructions in INSTALL?
>> Finally, how can I dump the current active variables?
>> Is there something like "echo $HOME_NET"?
>> Thanks loads,
>> - John
More information about the Snort-users