[Snort-users] First time snorting ... ERROR: The dynamic detection library ...

waldo kitty wkitty42 at ...14940...
Thu Nov 14 19:41:55 EST 2013

On 11/14/2013 3:40 PM, Alan McKay wrote:
> On Thu, Nov 14, 2013 at 3:24 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> speaking of command lines, what is your snort command line?
> Straight out of that doc I'd posted earlier
> /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth0

ahhh... ok... so you are not (yet) running it daemonized... my bad, too, because 
the output would be in your /var/logs/messages file if you were running it 
daemonized... sorry about that :?

> THough now I just changed it to
> /usr/local/snort/bin/snort -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth0 >
> /var/log/snort/snort.startup.log 2>&1

ok... try adding "-k none" before your "-c" or after your "eth0"...

>> also, you might want to stop snort, delete the snort log file in /var/logs...
>> then restart it, give it a few minutes, terminate it again and post that log...
>> we might spot something in there...
> Snort logs are empty :

ok... looking at the below, i thought you might have been looking at the 
snort.log.xxxxxxxxxx files... those are pcap (aka packet capture) files... what 
i was looking for, above, is the startup and shutdown output of snort... your 
snort.startup.log should have the information i was looking for... when you 
start to run snort daemonized, you won't use that redirection and all that 
information will be written to your system log...

> root at ...16588...:/usr/local/snort/etc# ls -al /var/log/snort/
> total 36
> drwxr-xr-x  2 snort snort  4096 Nov 14 15:35 .
> drwxr-xr-x 19 root  root   4096 Nov 14 10:36 ..
> -rw-r--r--  1 snort snort  2056 Nov 14 15:29 barnyard2.waldo
> -rw-r--r--  1 root  root  22416 Nov 14 15:35 snort.startup.log
> -rw-------  1 snort snort     0 Nov 14 15:33 snort.u2.1384461197
> -rw-------  1 snort snort     0 Nov 14 15:35 snort.u2.1384461344

yep, your u2 files are definitely empty... that indicates one of two things...

1. your snort is not seeing the traffic
2. the traffic your snort is seeing is not triggering any alert rules

> Here is the startup log
> https://docs.google.com/document/d/1bd3atMiqTBvbwF8BIpZDSVEr1vYniyM0GSIHZGvVWO8/edit?usp=sharing

i'll take a look... [time passes] ok... this indicates that snort is running and 
looking for traffic...

   Commencing packet processing (pid=31755)

now we need to see the rest of the output when you shut down snort... that will 
give us the statistics of traffic that it has seen, if any at all...

> Anyway, thanks.  I'll start going through the FAQ instead of that other doc.


NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list