FW: [Snort-users] FW: ERROR: OpenPcap

Michael Steele michaels at ...155...
Wed Jun 19 15:08:06 EDT 2002


Mike,

It sometimes takes a few minutes to start receiving the alerts.  You can
add this to your local.rules file (be sure to take the hash mark out in
front of the include for that in Snort.conf) and you will get all kinds
of alerts to your database. When your done testing, be sure to place the
hash mark back in your snort.conf in front of the include statement for
local.rules, or your database will grow, rather quickly.

alert tcp any any <> any any (msg:"alert-local test";)


The line works as far as I know. It has, in the past without quotes
around it?

Let me know if placing the quotes around it fixed it and I will revise
my docs. Send me a copy of your actual line.

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: Mike Balzotti [mailto:mike.balzotti at ...6139...] 
Sent: Wednesday, June 19, 2002 2:40 PM
To: Michael Steele
Subject: RE: [Snort-users] FW: ERROR: OpenPcap

Probably don't miss as many as me :) Ok I thought it was working,
but....

"At that same command prompt type: 

Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache
Group\Apache\htdocs\logs -ix 

Note: -ix (x is the number of the NIC to place the Snort sensor on) 

Note: If there were no errors produced then Snort should have created an
Alert.ids file in the C:\Program Files\Apache Group\Apache\htdocs\logs
folder."

I do not get any errors any longer but I also don't get the Alert.ids
file. Did I screw something up pretty bad? By the way the adapter that I
am using is 1. I used your test to figure it out.

Thanks-

Mike 

-----Original Message-----
From: Michael Steele [mailto:michaels at ...155...]
Sent: Wednesday, June 19, 2002 2:38 PM
To: Mike Balzotti
Cc: Chris Reid
Subject: RE: [Snort-users] FW: ERROR: OpenPcap


All;

I always miss the easy ones! It was not only marked once, but twice! :-)


Next..

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels at ...155...
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: Mike Balzotti [mailto:mike.balzotti at ...6139...] 
Sent: Wednesday, June 19, 2002 1:37 PM
To: Chris Reid; Michael Steele
Subject: RE: [Snort-users] FW: ERROR: OpenPcap

Ok yeah that worked.

Thanks for the fast reply. I knew it was something stupid that I was
doing.

Mike


-----Original Message-----
From: Chris Reid [mailto:chris.reid at ...3029...]
Sent: Wednesday, June 19, 2002 1:23 PM
To: Michael Steele; snort-users at lists.sourceforge.net
Cc: Mike Balzotti
Subject: Re: [Snort-users] FW: ERROR: OpenPcap



Mike,

Take a closer look at the command line.  There's a space between
"Program"
and "Files", and another space between "Apache" and "Group".  Put the
whole
path after -l in double quotes.

Chris Reid



----- Original Message -----
From: "Michael Steele" <michaels at ...155...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, June 19, 2002 1:26 PM
Subject: [Snort-users] FW: ERROR: OpenPcap


>
> Mike,
>
> Use Snort -W to get a list of adapters. Say you only have one adapter,
> so it should show your adapter in location 1.  CD to your snort folder
> and type Snort -v -i1 and that will allow snort to sniff on adapter 1.
> After doing this you should see all kinds of traffic in the command
> window, if not go to your browser and generate some traffic.
>
> Let me know how things go.
>
> -Michael
> --
>  Michael Steele | System Engineer / Support Technician
>  mailto:michaels at ...155...
>  Silicon Defense: IDS solutions - http://www.silicondefense.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
>
>
> -----Original Message-----
> From: Mike Balzotti [mailto:mike.balzotti at ...6139...]
> Sent: Wednesday, June 19, 2002 11:41 AM
> To: michaels at ...155...
> Subject: ERROR: OpenPcap
>
> I am trying to install snort from your documentation. Upon testing to
> make sure it is working I get an error.
> The test I am running is
> Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache
> Group\Apache\htdocs\logs -ix
> where is x = 1
>
> The snort -v -x1 works fine as far as I can tell.
>
> The error I get on the fist is as fallows
>
> C:\Snort\Snort -c C:\snort\Snort.conf -l C:\Program Files\Apache
> Group\Apache\htdocs\logs -ix
> log directory = C:\Program
>
> Initializing Network Interface \
> ERROR: OpenPcap() FSM compilation failed:
>                 parse error
> PCAP command: Files\Apache Group\Apache\htdocs\logs -i2
> Fatal Error, quitting..
>
> Thanks for your help in this.
>
> Mike Balzotti
> Network Systems Technician II
> World Wide Packets
> <http://www.worldwidepackets.com>
> 1-509-242-9411
>
>
>
>
>
>
>
------------------------------------------------------------------------
--
--
>                    Bringing you mounds of caffeinated joy
>                    >>>     http://thinkgeek.com/sf    <<<
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>












More information about the Snort-users mailing list