[Snort-users] Snort switches to packet Dump Mode
ram.nath241089 at ...11827...
Tue Jul 16 07:05:56 EDT 2013
In continuation with previous mail,
I recompiled Snort and Daq from source.
(This time I put script of snort from the snort website)
I got snort compilation successful and snort exit.
The output I am getting now are
[root at ...16428... init.d]# ./snort status
snort (pid 15718) is running...
[root at ...16428... init.d]# snort status
* Running in packet dump mode*
--== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: status
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
ERROR: Can't set DAQ BPF filter to 'status' (pcap_daq_set_filter:
pcap_compile: syntax error)!
Fatal Error, Quitting..
With this command I am getting snort output fine
[root at ...16428... init.d]# snort -c /etc/snort/snort.conf -i eth0
I am getting expected output running in IDS mode
The only thing I am *worried* does is that if I reboot
does* snort will switch to packet dump mode *??
Seeking for guidance,
On Tue, Jul 16, 2013 at 12:29 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
> Hi Waldo,
> You are right that file is copied from pdf.
> But when I tried this command
> [root at ...16428...]# snort -c /etc/snort/snort.conf -i eth0
> it gives this output I think which is fine. http://fpaste.org/25552/
> I also check for /etc/sysconfig/snort file which is also fine.
> This is output of grep snort
> [root at ...16428... ~]# ps aux | grep snort
> snort 1801 0.8 3.8 412328 74744 ? Ssl 12:25 0:01
> /usr/local/bin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
> root 3317 0.0 0.0 103236 852 pts/13 S+ 12:27 0:00
> grep snort
> clcmain 28334 0.1 0.9 377512 17836 ? S 12:16 0:00
> gedit /home/clcmain/Downloads/euca-images/snort-centos-6x.sh
> Because running only
> [a at ...2582...]# snort
> send again to packet dump mode.
> Any idea what is the next step ??
> P.S: I will try with www.snort.com/docs snort script for centos and
> report here.
> Seeking for guidance,
> On Tue, Jul 16, 2013 at 1:01 AM, waldo kitty <wkitty42 at ...14940...>wrote:
>> On 7/15/2013 14:53, Mayur Patil wrote:
>> > Hi Waldo,
>> > When I check for /etc/init.d/snort file following output I got
>> > [root at ...16428... init.d]# snort status
>> > Any idea where bug is lurking ??
>> yes... you are in the init.d folder trying to run a script that lives in
>> init.d... you left out the ./ yet you have snort in your path so it was
>> directly instead of via your script...
>> your script is also the place where you need to check the start up
>> that are fed to your snort... this is that script you got out of that pdf
>> isn't it??
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users