[Snort-users] Snort Daemon More Help Needed 2

Jiju Menon security4rrm at ...11827...
Sat Feb 26 13:50:20 EST 2005


2/26

Hello,

I am providing the result of what was asked of me to help troubleshoot
the daemon problem.

The daemon runs if INTERFACE=any.

root at ...13095... snort]# tail -f /var/log/messages

######## I ran snortd with INTERFACE=any #####################################

Feb 26 11:08:45 Gateway snort:
-------------------------------------------------------------------------------
Feb 26 11:08:45 Gateway snort: Rule application order: 
Feb 26 11:08:45 Gateway snort: ->activation
Feb 26 11:08:45 Gateway snort: ->dynamic
Feb 26 11:08:45 Gateway snort: ->alert
Feb 26 11:08:45 Gateway snort: ->pass
Feb 26 11:08:45 Gateway snort: ->log
Feb 26 11:08:45 Gateway snort:  
Feb 26 11:08:45 Gateway snort: Log directory = /var/log/snort 
Feb 26 11:08:45 Gateway snort: Snort initialization completed
successfully (pid=7339)
Feb 26 15:22:03 Gateway snort: Final Flow Statistics 
Feb 26 15:22:03 Gateway snort: Snort exiting 
Feb 26 15:22:03 Gateway snortd: snort shutdown succeeded


######## I ran snortd with INTERFACE=3Dany ###################################

Feb 26 15:22:07 Gateway modprobe: modprobe: Can't locate module 3Dany
Feb 26 15:22:07 Gateway snort: FATAL ERROR: OpenPcap() device 3Dany
open:  ^Iioctl: No such device
Feb 26 15:22:07 Gateway snortd: snort startup failed


I feel that in some machines snort is not listening on all interfaces
even when I ran with INTERFACE=any. I got positive results in one of
them. All the machines I use are Red Hat 9.0

Thanks.






-------------------------------------------------------------
HISTORY
--------------------------------------------------------------


On Fri, 25 Feb 2005 16:00:02 -0500, Jiju Menon <security4rrm at ...11827...> wrote:
> 2/24
> 
> Hello,
> 
> Thanks to Mr. Maria Lopez Hernandez for responding especially for
> clearly pointing the change to me. I am not well versed in scripts.
> 
> I did as was advised. When I try to start the service it fails. Is
> there anything more that I should do to get the script running on all
> three interfaces?
> 
> Thank you.
> 


Message: 6
Subject: Re: [Snort-users] Snort Daemon More Help Needed
From: Jose Maria Lopez Hernandez <jkerouac at ...12346...>
To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Organization: bgSEC
Date: Fri, 25 Feb 2005 22:58:17 +0100

El vie, 25-02-2005 a las 16:00 -0500, Jiju Menon escribi=C3=B3:
> 2/24
>=20
> Hello,
>=20
> Thanks to Mr. Maria Lopez Hernandez for responding especially for
> clearly pointing the change to me. I am not well versed in scripts.
>=20
> I did as was advised. When I try to start the service it fails. Is
> there anything more that I should do to get the script running on all
> three interfaces?
>=20
> Thank you.

You have to send to the list the error that snort gives to you.
If there's an error shown when the script runs and also you
can do a "tail -f /var/log/messages" and then run the script
to see what snort says when it tries to start.

If you post that information we maybe can help you further.

Regards.

--=20





> ----------------------------------------------------------------------------------------
> HISTORY
> -----------------------------------------------------------------------------------------
> 
> > Message: 7
> > Date: Wed, 23 Feb 2005 17:12:47 -0500
> > From: Jiju Menon <security4rrm at ...11827...>
> > Reply-To: Jiju Menon <security4rrm at ...11827...>
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Snort Deamon
> >
> > IHello,
> >
> > I am trying to use a Snort daemon from the website
> > http://msbnetworks.net/snort/snortd.txt,
> >
> > I am running snort on a machine with 3 interfaces and I would like to
> > run snort in all interfaces.
> > There is a parameter INTERFACE= , in the file. What value should I
> > give if I want snort to sniff all interfaces?
> >
> > By default, it takes only eth0 and does not seem to change interface
> > even if I specify eth1, or eth2.
> >
> > Any help is welcome.
> >
> > Thank you
> >
> > --__--__--
> >
> > Message: 8
> > Subject: Re: [Snort-users] Snort Deamon
> > From: Jose Maria Lopez Hernandez <jkerouac at ...12346...>
> > To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
> > Organization: bgSEC
> > Date: Wed, 23 Feb 2005 23:46:52 +0100
> >
> > El mi=C3=A9, 23-02-2005 a las 17:12 -0500, Jiju Menon escribi=C3=B3:
> > > IHello,
> > >=20
> > > I am trying to use a Snort daemon from the website
> > > http://msbnetworks.net/snort/snortd.txt,
> > >=20
> > > I am running snort on a machine with 3 interfaces and I would like to
> > > run snort in all interfaces.
> > > There is a parameter INTERFACE=3D , in the file. What value should I
> > > give if I want snort to sniff all interfaces?
> >
> > Just use:
> > INTERFACE=3Dany
> >
> > But you have to change the script. What it's wrong it's the script
> > you are using. It specifies the variable INTERFACE but it doesn't
> > use it later to launch snort, so it won't work.
> >
> > Change the line:
> > daemon /usr/local/bin/snort -u snort -g snort -d -D \
> >                 -c /etc/snort/snort.conf
> >
> > to:
> >
> > daemon /usr/local/bin/snort -u snort -g snort -d -i $INTERFACE -D \
> >                 -c /etc/snort/snort.conf
> >
> > and it will work.
> >
> > > By default, it takes only eth0 and does not seem to change interface
> > > even if I specify eth1, or eth2.
> > >=20
> > > Any help is welcome.
> > >=20
> > > Thank you
> >
> > Regards.
> >
> > --=20
> >
> > Jose Maria Lopez Hernandez
> > Director Tecnico de bgSEC
> > jkerouac at ...12346...
> > bgSEC Seguridad y Consultoria de Sistemas Informaticos
> > http://www.bgsec.com
>




More information about the Snort-users mailing list