[Snort-users] the most cryptic fsck'ing thing...

John Sage jsage at ...2022...
Sun May 20 22:44:19 EDT 2001


Erek:

Erek Adams wrote:

> On Sat, 19 May 2001, John Sage wrote:
> 
>> At the risk of seeming like a total idiot (at this point I don't care ;-)
> 
> Idiot?  No, I've already won that title. :)

heh..

>> Snort has got to be the most cryptic fsck'ing thing to get running I've
>> ever seen!
> 
> Yeppers.  It has a few 'things' that make it fun to setup.

Actually, snort's working great, now, if all I want to do is look at eth0 ;-)

Most of my problems *now* seem to be pointing toward a ppp0 issue.

There's a thread in the snort archives from last month suggesting that
the 1.8 beta may be the way to go..

http://archives.neohapsis.com/archives/snort/2001-04/0518.html

>> May 19 10:48:44 sparky snort: log_tcpdump TcpdumpInitLogFile(): No such
>> file or directory
>> 
>> What's that all about?
>> 
>> Is that why nothing's logging? (OK: well, duh..)
> 
> You got it in one guess! ;-)
> 
> Actually...  If I were to guess at it, I'd say that it's a file/directory
> problem.  Take a look and make sure that /var/log/snort exists, and that the
> user that snort is running as has write permissions to it.  Also check and
> make sure that the /var/log/snort/tcpdump.log file exists and has writeable
> permissions.

I think you are right.. been fiddling with so much, I forgot what exactly
was wrong with that particular issue.

I think I had too much in my snort.conf -- I had the file name and not just the
path... or something like that. Or I was alerting, but not logging, or logging
but not alerting, or somesuch ;-)

That's fixed. Now I gotta deal with the ppp0 issue..
 
> If you are on Solaris you can use 'truss' to find out where/why it's dying.
> I had one of my Linux geek friends tell me that there is something called
> 'strace' for Linux that does almost the same thing...

I'm running Linux.. strace: I'lllook into that.
 
>> Finally, how can I dump the current active variables?
>> 
>> Is there something like "echo $HOME_NET"?
> 
> 
> Not to my knowledge.  I usually just grep thru the snort.conf for "$" to find
> any variables.
> 
> Hope this helps!

Thanks for your reply; sorry my post was so cranky..

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."





More information about the Snort-users mailing list