[Snort-users] snort[731]: FATAL ERROR: Cannot decode data link type 113 on openvz VPS

Dave Osbourne dave at osbourne.uk.eu.org
Thu Aug 10 05:05:43 EDT 2017


Have you tried a veth rather than venet?

D

On 2017-08-10 08:51, Ajdin Lupčević via Snort-users wrote:
>
> Hello,
>
> I try to test snort on openvz vps because we need to make detection 
> system for our dedicated servers when spam is send fro our network.
> when I try to start snort with command snort -i venet0:0 -c 
> /etc/snort/snort.conf -T I find messages in /var/log/messages as follow:
>
> Aug  9 06:21:50 test snort[730]: 329 out of 1024 flowbits in use.
> Aug  9 06:22:10 test snort[730]:
> Aug  9 06:22:10 test snort[730]: [ Port Based Pattern Matching Memory ]
> Aug  9 06:22:10 test snort[730]: +- [ Aho-Corasick Summary ] 
> -------------------------------------
> Aug  9 06:22:10 test snort[730]: | Storage Format    : Full-Q
> Aug  9 06:22:10 test snort[730]: | Finite Automaton  : DFA
> Aug  9 06:22:10 test snort[730]: | Alphabet Size     : 256 Chars
> Aug  9 06:22:10 test snort[730]: | Sizeof State      : Variable (1,2,4 
> bytes)
> Aug  9 06:22:10 test snort[730]: | Instances         : 235
> Aug  9 06:22:10 test snort[730]: |     1 byte states : 220
> Aug  9 06:22:10 test snort[730]: |     2 byte states : 15
> Aug  9 06:22:10 test snort[730]: |     4 byte states : 0
> Aug  9 06:22:10 test snort[730]: | Characters        : 193653
> Aug  9 06:22:10 test snort[730]: | States            : 149896
> Aug  9 06:22:10 test snort[730]: | Transitions       : 23056914
> Aug  9 06:22:10 test snort[730]: | State Density     : 60.1%
> Aug  9 06:22:10 test snort[730]: | Patterns          : 9789
> Aug  9 06:22:10 test snort[730]: | Match States      : 10624
> Aug  9 06:22:10 test snort[730]: | Memory (MB)       : 77.61
> Aug  9 06:22:10 test snort[730]: |   Patterns        : 1.12
> Aug  9 06:22:10 test snort[730]: |   Match Lists     : 2.50
> Aug  9 06:22:10 test snort[730]: |   DFA
> Aug  9 06:22:10 test snort[730]: |     1 byte states : 1.36
> Aug  9 06:22:10 test snort[730]: |     2 byte states : 72.23
> Aug  9 06:22:10 test snort[730]: |     4 byte states : 0.00
> Aug  9 06:22:10 test snort[730]: 
> +----------------------------------------------------------------
> Aug  9 06:22:10 test snort[730]: [ Number of patterns truncated to 20 
> bytes: 545 ]
> Aug  9 06:22:10 test snort[730]: pcap DAQ configured to passive.
> Aug  9 06:22:10 test snort[730]: Acquiring network traffic from 
> "venet0:0".
> Aug  9 06:22:10 test snort[730]: Initializing daemon mode
> Aug  9 06:22:10 test snort[731]: Daemon initialized, signaled parent 
> pid: 730
> Aug  9 06:22:10 test snort[731]: Reload thread starting...
> Aug  9 06:22:10 test snort[731]: Reload thread started, thread 
> 0x7f6927ecf700 (732)
> Aug  9 06:22:10 test snort[731]: FATAL ERROR: Cannot decode data link 
> type 113
>
> I also need to tell you that snort is installed via yum and how can I 
> make it work on venet0:0 interace that is active interface on openvz 
> vps. If you have any guide or you can explain please let me know.
>
> Best regards.
>
> -- 
>
> *Ajdin Lupčević**
> *System Administrator/Web Hosting Support
>
> *Globalhost d.o.o. **
> *Web Hosting Solutions *
> *Kralja Tvrtka 15 · 72290 Novi Travnik · BiH *
>
> *-----------------------------------------------------------------------------------------
> Tel: +387 30 795 066 · Fax: +387 30 795 067
> Web: www.global.ba <http://www.global.ba/> · E-mail: info at global.ba 
> <mailto:info at global.ba>
> --------------------------------------------------------------------------------------------
> VAŽNA OBAVIJEST:
> Ova elektronička pošta može sadržavati podatke povjerljive prirode i 
> namijenjena je isključivo osobama naznačenima kao primateljima. 
> Pristup od strane bilo koje druge osobe smatra se neovlaštenim. 
> Ukoliko niste naznačeni primatelj, svaka distribucija, kopiranje, 
> umnožavanje ili otkrivanje sadržaja trećim osobama je strogo 
> zabranjeno i smatra se protuzakonitim. Ukoliko ste dobili ovu poruku, 
> a niste naznačeni primatelj, molimo Vas da što prije obavijestite 
> pošiljatelja poruke i uništite sve postojeće kopije. S obzirom na 
> nepostojanje potpune sigurnosti e-mail komunikacije, Globalhost d.o.o. 
> ne preuzima odgovornost za eventualnu štetu nastalu uslijed 
> zaraženosti e-mail poruke virusom ili drugim štetnim programom, 
> pogrešne ili zakašnjele dostave poruke uslijed tehničkih problema. *
>
> *DISCLAIMER:
> This e-mail may contain confidential information and is intended only 
> for those named as recipients. Access by any other person will be 
> considered unauthorised. If you are not the intended recipient, any 
> distribution, copying, reproduction or disclosure of its contents to 
> third parties is strictly prohibited and shall be considered illegal. 
> If you have received this e-mail message and are not the intended 
> recipient, please inform the sender as soon as possible and destroy 
> all existing copies. Since there is no complete security in e-mail 
> communication, the Globalhost d.o.o. no liability for any loss 
> incurred as a result of an e-mail message being infected with a virus 
> or any other harmful software, mistaken or delayed delivery of a 
> message due to technical problems. *
> *
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170810/d45429df/attachment.html>


More information about the Snort-users mailing list