[Snort-users] help please

d'Ambly, Jeff jdambly at ...3616...
Thu Sep 27 07:41:04 EDT 2001


Ok sweet, that worked but now I can't use eth1

Snort received signal 2, exiting
[root at ...2306... conf]# snort -o -c -i eth1 ./snort.conf 
Log directory = 

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Rule application order changed to Pass->Alert->Log

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed: 
        parse error
PCAP command: eth1 ./snort.conf
Fatal Error, Quitting..
[root at ...2306... conf]#

This is a 100mb interface that does not have an ip address, I want to do
this because I have setup a spanning session on the switch, to mirror all
traffic on vlan across this one port. Think of it like a hub, in a way.

   --  Jeff d'Ambly
Network Engineer
http://www.monster.com
--------------------------------
Stay the patient course.
Of little worth is your ire.
The network is up.

 -----Original Message-----
From: 	Erek Adams [mailto:erek at ...577...] 
Sent:	Thursday, September 27, 2001 10:31 AM
To:	d'Ambly, Jeff
Cc:	'snort-users at lists.sourceforge.net'
Subject:	RE: [Snort-users] help please

On Thu, 27 Sep 2001, d'Ambly, Jeff wrote:

> Hey thanks, dmearc was overwriting my config, but now I get this error
when
> I start snort

Ok, cool!  I now I'm not so confused. :)

> ERROR /usr/local/demarc/conf/policy.rules(29) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(30) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(31) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(32) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(33) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(34) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(35) => Bad Priority setting
> "bad-unknown"
> ERROR /usr/local/demarc/conf/policy.rules(36) => Bad Priority setting
> "bad-unknown"

Make sure you have the lines:

 # Include classification & priority settings
 include classification.config

In snort.conf.  Then make sure you have:

 config classification: bad-unknown,Potentially Bad Traffic, 2

in that file.  At that point, all should be well.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list