[Snort-users] Snort switches to packet Dump Mode

Mayur Patil ram.nath241089 at ...11827...
Tue Jul 16 07:05:56 EDT 2013


In continuation with previous mail,

   I recompiled Snort and Daq from source.

   (This time I put script of snort from the snort website)

   I got snort compilation successful and snort exit.

   The output I am getting now are

   [root at ...16428... init.d]# ./snort status
   snort (pid  15718) is running...

   [root at ...16428... init.d]# snort status
  * Running in packet dump mode*

        --== Initializing Snort ==--
   Initializing Output Plugins!
   Snort BPF option: status
   pcap DAQ configured to passive.
   Acquiring network traffic from "eth0".
   ERROR: Can't set DAQ BPF filter to 'status' (pcap_daq_set_filter:
pcap_compile: syntax error)!
   Fatal Error, Quitting..

   With this command I am getting snort output fine

   [root at ...16428... init.d]# snort -c /etc/snort/snort.conf -i eth0

   I am getting expected output running in IDS mode

   http://fpaste.org/25619/

   The only thing I am *worried* does is that if I reboot

    does* snort will switch to packet dump mode *??

    Seeking for guidance,

    Thanks !!

-- 
*Cheers,
Mayur*.



On Tue, Jul 16, 2013 at 12:29 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:

> Hi Waldo,
>
>     You are right that file is copied from pdf.
>
>     But when I tried this command
>
>     [root at ...16428...]# snort -c /etc/snort/snort.conf -i eth0
>
>     it gives this output I think which is fine.   http://fpaste.org/25552/
>
>     I also check for  /etc/sysconfig/snort file which is also fine.
>
>     This is output of grep snort
>
>     [root at ...16428... ~]# ps aux | grep snort
>      snort     1801  0.8  3.8 412328 74744 ?        Ssl  12:25   0:01
> /usr/local/bin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
>       /etc/snort/snort.conf -l /var/log/snort
>       root      3317  0.0  0.0 103236   852 pts/13   S+   12:27   0:00
> grep snort
>      clcmain  28334  0.1  0.9 377512 17836 ?        S    12:16   0:00
> gedit /home/clcmain/Downloads/euca-images/snort-centos-6x.sh
>
>  Because running only
>
>  [a at ...2582...]# snort
>
>  send again to packet dump mode.
>
>   Any idea what is the next step ??
>
>  P.S: I will try with www.snort.com/docs snort script for centos and
> report here.
>
>  Seeking for guidance,
>
>  Thanks!!
>
> --
> *Cheers,
> Mayur*.
>
>
> On Tue, Jul 16, 2013 at 1:01 AM, waldo kitty <wkitty42 at ...14940...>wrote:
>
>> On 7/15/2013 14:53, Mayur Patil wrote:
>> > Hi Waldo,
>> >
>> > When I check for /etc/init.d/snort file following output I got
>> >
>> >         [root at ...16428... init.d]# snort status
>> [trim]
>> >          Any idea where bug is lurking ??
>>
>> yes... you are in the init.d folder trying to run a script that lives in
>> init.d... you left out the ./ yet you have snort in your path so it was
>> executed
>> directly instead of via your script...
>>
>> your script is also the place where you need to check the start up
>> parameters
>> that are fed to your snort... this is that script you got out of that pdf
>> file,
>> isn't it??
>>
>> --
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130716/1e16ca6a/attachment.html>


More information about the Snort-users mailing list