[Snort-users] More snort problems

Erek Adams erek at ...577...
Tue Jul 9 08:57:04 EDT 2002


On Mon, 8 Jul 2002, red z wrote:

> Yes, I'm an idiot I know what you're thinking.. Ok, in a nutshell I cant do
> ANYTHING with snort except snort -v . I want to be able to use the NIDS
> damnit!!

heh...  It's Ok.  It's not that big of a deal.  :)

One good thing:  snort -v shows traffic.  That's good!  ;-)

> Im running freebsd 4.6. I installed snort by /stand/sysinstall then
> packages, security, then snort.
>
> Maybe it's because my IQ is below a dozen I dont know, but I cant get NIDS
> running for the life of me.  freebsd installed snort in /usr/local/bin/snort

Ok don't get me wrong, I _love_ the idea of packages.  But I find that with
some things, it's better to build it from the tarball and then packagize the
software yourself.

> So far my problems are:
>
> 1. I cant find snort.conf (or any snort file for that matter)
>
> 2. Permissions?
>
> I made a directory called snort in /var/log to see if it would fix it and
> then I did the command snort -h 172.16.0.1/10 -c snort.conf -l/snort/ -dev
>
> still an error message!

First, lets see if we can find snort.conf in one of it's default locations.
If you look in snort.c at around line 3238 you see snort looking for
"/etc/snort.conf", and "./snort.conf".  Down around 3275, you see it also
check for a "<home_dir>/.snortrc".  Check to see if there is a snort.conf file
_anywhere_ with:

	cd /
	find . -name snort.conf -type f -print

If you find one, note where it is, and be sure to use the full path to it when
starting snort.

	snort <options> -c /full/path/to/snort.conf

If not, check for .snortrc on the box with:

	cd /
	find . -name .snortrc -type f -print

Not to harp on it, but this is one of the main reasons I'd rather build by
own--I know where I put things!  :)


Secondly, you're not specifying the path to the log dir in the correct format.
The command line above shows you using /snort/ as your log directory.  That
means "the snort directory right off of the root directory", and not "the
snort directory under the current directory."  Just to be safe, lets's specify
full paths all the way around:

/usr/local/bin/snort -dev -l /var/log/snort -h 172.16.0.1/10 -c /etc/snort.conf

Check and see if any of that will help.

> If someone has the time/patience and kindness to email me step by step idiot
> proof directions I would be forever in your debt. I am totally lost

heh...  "It might be idiot-proof, but it's not _damned_ idiot
proof"--Anonymous  :)

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list