[Snort-users] setsockopt: Bad file descriptor

Phil Wood cpw at ...440...
Wed Jan 2 14:19:15 EST 2002


On Wed, Jan 02, 2002 at 11:31:06AM -0500, Ernie Dipko wrote:
> Hi all...Happy new year...
>  
> I am having a problem issuing the following command:
>  
> snort -N -A none -p -T -r /usr/local/demarc/cgi/stub_traffic_file -l
> /usr/local/demarc/tmp -c /usr/local/demark/tmp/snort.conf 2>&1
>  
> The command replies with:
>             
> TCPDUMP file reading mode.
> Reading network traffic file from "/usr/local/demark/cgi/stub_traffic_file"
> file.
> Snaplen = 96
> Setsockopt: Bad file descriptor

Did you capitalize snaplen and setsockopt?  Cause my version of snort "same
as yours" does not.  Actually, not a lot of help here, but it looks like you
need to check your sources.

I pulled down http://www.tcpdump.org/release/libpcap-0.6.2.tar.gz and did
not find "Setsockopt:" either.

The only setsockopt: error is in live_open_new which seems at odds with the -r option.

  I get this (as unpriv user) using your conf file (which had no rules):

$ /data/pw/bin/snort -N -A none -p -T -r /var/log/snort/lastnite -l /var/log/snort -c /etc/snort/snort.conf
Log directory = /var/log/snort

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "/var/log/snort/lastnite" file.
snaplen = 1514
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Back Orifice detection brute force: DISABLED
Using LOCAL time
Using LOCAL time
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch at ...1935..., www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!


===============================================================================

Snort processed 0 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
===============================================================================

TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0         
===============================================================================

$ 

>  
>  
> Can anyone help?
>  
> I am on RedHat Linux 7.1, (2.4.9-12 kernel), libpcap-0.6.2, snort 1.8.3
> (Build 88)
> Thanks 
> Ernie
>  
>  
> I don't think it matters, but here is the snort.conf file I was using:
>  
> # NOTE:
> # This snort.conf file has been automatically generated for you
> # in order to quickly bring a new snort/DEMARC sensor online.
> # This is BY NO MEANS a list of all options availible to you
> # from a properly optimized snort.conf file.
> #
> # Once your sensor is online, and you are able to control it from
> # the DEMARC web interface, please go to http://snort.sourcefire.com/
> # to download the sample snort.conf file which you can then customize
> # to fit the needs of your network.
>  
>  
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var DNS_SERVERS $HOME_NET
>  
> preprocessor defrag
> preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: 10.10.1.1 10.10.1.116
> output database: log, mysql, user=snort dbname=snort password={my password}
> host=127.0.0.1 sensor_name=netsniffer1
>  
>  
> #BEGIN RULES:
>  
>  

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list