[Snort-users] 1.9.0beta4

Gray . Brendan bgray2 at ...3738...
Wed Aug 14 11:10:04 EDT 2002


I'm now running 1.9.0beta4 as snort -A full -d and it appears to be working.
Its logging alerts, and eth0 is staying in promisc mode.

Brendan

-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...]
Sent: Wednesday, August 14, 2002 1:21 PM
To: Gray . Brendan
Subject: Re: [Snort-users] 1.9.0beta4


"Gray . Brendan" <bgray2 at ...3738...> writes:

> I'm testing 1.9.0beta4 and its not working.  Well, to be more specific,
I'm
> running RedHat 7.3 on a x86 with all the updates, and when I start Snort
> (snort -A full -d -D) snort will run, but nothing gets logged


Take off the -D option and see what error it reports.  Please reply to
snort-users  as others might have the same problem.



> .  I'm looking at the /var/log/messages file, and it seems that when
> I start snort, eth0 goes into promiscuous mode, and then leaves
> promisc mode almost immediately thereafter.  Is it a bug or a
> problem with my system (libpcap maybe?)?  I originally had
> snort-1.8.6 installed via demarc on the box.  Demarc was turned off
> (psd -k) and the new snort binary has replaced the snort-1.8.6
> binary.  Here's a brief cut & paste from /var/log/messages>
>
> Aug 14 12:45:35 testbox kernel: device eth0 entered promiscuous mode
> Aug 14 12:45:35 testbox snort: using config file ./snort.conf
> Aug 14 12:45:35 testbox snort: http_decode arguments:
> Aug 14 12:45:35 testbox snort:     Unicode decoding
> Aug 14 12:45:35 testbox snort:     IIS alternate Unicode decoding
> Aug 14 12:45:35 testbox snort:     IIS double encoding vuln
> Aug 14 12:45:35 testbox snort:     Flip backslash to slash
> Aug 14 12:45:35 testbox snort:     Include additional whitespace
separators
> Aug 14 12:45:35 testbox snort:     Ports to decode http on: 80
> Aug 14 12:45:35 testbox snort: telnet_decode arguments:
> Aug 14 12:45:35 testbox snort:     Ports to decode telnet on: 21 23 25 119
> Aug 14 12:45:35 testbox snort: Conversation Config:
> Aug 14 12:45:35 testbox snort:    KeepStats: 0
> Aug 14 12:45:35 testbox snort:    Conv Count: 32000
> Aug 14 12:45:35 testbox snort:    Timeout   : 60
> Aug 14 12:45:35 testbox snort:    Allowed IP Protocols:
> Aug 14 12:45:35 testbox snort:  All
> Aug 14 12:45:35 testbox snort:
> Aug 14 12:45:35 testbox snort: Portscan2 config:
> Aug 14 12:45:35 testbox snort:     log: /var/log/snort/scan.log
> Aug 14 12:45:35 testbox snort:     scanners_max: 3200
> Aug 14 12:45:35 testbox snort:     targets_max: 5000
> Aug 14 12:45:35 testbox snort:     target_limit: 5
> Aug 14 12:45:35 testbox snort:     port_limit: 20
> Aug 14 12:45:35 testbox snort:     timeout: 60
> Aug 14 12:45:37 testbox snort: Initializing daemon mode
> Aug 14 12:45:37 testbox snort: PID stat checked out ok, PID set to
/var/run/
> Aug 14 12:45:37 testbox snort: Writing PID file to "/var/run/"
> Aug 14 12:45:37 testbox snort: Snort initialization completed
successfully,
> Snort running
> Aug 14 12:45:37 testbox kernel: device eth0 left promiscuous mode
>
>
> All of the default rules are activated, except x11, coldfusion, and php
> which are commented out.  I have set the HOME_NET and EXTERNAL_NET values,
> and I activated the policy and porn rules, to see what I'd discover.
>
> Brendan







More information about the Snort-users mailing list