[Snort-users] snort 2.8.5.3 and PCAP_FRAMES

Russell Fulton r.fulton at ...3809...
Mon May 17 20:30:16 EDT 2010


Ah!  as usual the problem resides between the chair and the keyboard :)  I'll document it here in case anyone else falls for this one.

A while back I set my sensors up so that the snort user could do" sudo snort"  without a password this allowed me to get rid of various setuid nastiness that I was using.  That was fine until recently when the os on the box got "upgraded" and a much tighter sudoers file was installed causing the PCAPS_FRAMES to get sanitised from the environment.

So if you use sudo to start snort make sure you either use -E or configure your sudoers file to pass the variable through.

Russell


On 13/05/2010, at 12:54 AM, Joel Esler wrote:

> Just out of curiosity, have you tried it with 2.8.6.0?  Just so see if we've already fixed it in the current Snort version?  (I have NOT tested it here on either version)
> 
> On Wed, May 12, 2010 at 12:43 AM, Russell Fulton <r.fulton at ...3809...> wrote:
> I've just noticed that my snort is no longer using PCAP_FRAMES ???
> 
> [snort at ...13893... ~]$ snort -V
> 
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.5.3 (Build 124)
>   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>           Using PCRE version: 6.6 06-Feb-2006
> 
> [snort at ...13893... ~]$ env | grep PCAP
> PCAP_FRAMES=32000
> 
> [snort at ...13893... ~]$ sudo snort -D   -A none -c conf/snort.conf.eth3 -u snort -g snort -i eth3 -l /home/snort/data/eth3 -m 0002 -S INT=eth3
> 
> [snort at ...13893... ~]$ sudo tail /var/log/messages
> May 12 04:33:51 monitor-dmzo snort[3579]: | Num States       : 635820
> May 12 04:33:51 monitor-dmzo snort[3579]: | Num Transitions  : 45289523
> May 12 04:33:51 monitor-dmzo snort[3579]: | State Density    : 27.8%
> May 12 04:33:51 monitor-dmzo snort[3579]: | Finite Automatum : DFA
> May 12 04:33:51 monitor-dmzo snort[3579]: | Memory           : 434.13Mbytes
> May 12 04:33:51 monitor-dmzo snort[3579]: +-------------------------------------------------------------
> May 12 04:33:51 monitor-dmzo snort[3579]:
> May 12 04:33:51 monitor-dmzo snort[3579]:         --== Initialization Complete ==--
> May 12 04:33:51 monitor-dmzo snort[3579]: Snort initialization completed successfully (pid=3579)
> May 12 04:33:51 monitor-dmzo snort[3579]: Not Using PCAP_FRAMES
> 
> I have the latest version of libpcap from lbl installed and recompiled snort with --with-libcap-dir=/usr/local/lib...
> 
> Any ideas?
> 
> Russell
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100518/bd29b0e7/attachment.html>


More information about the Snort-users mailing list