[Snort-users] Snort Daemon More Help Needed 2

This is a discussion on [Snort-users] Snort Daemon More Help Needed 2 within the Snort forums, part of the System Security and Security Related category; 2/26 Hello, I am providing the result of what was asked of me to help troubleshoot the daemon problem. ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Snort Daemon More Help Needed 2

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-26-2005
Jiju Menon
 
Posts: n/a
Default [Snort-users] Snort Daemon More Help Needed 2
2/26

Hello,

I am providing the result of what was asked of me to help troubleshoot
the daemon problem.

The daemon runs if INTERFACE=any.

root@Gateway snort]# tail -f /var/log/messages

######## I ran snortd with INTERFACE=any #####################################

Feb 26 11:08:45 Gateway snort:
-------------------------------------------------------------------------------
Feb 26 11:08:45 Gateway snort: Rule application order:
Feb 26 11:08:45 Gateway snort: ->activation
Feb 26 11:08:45 Gateway snort: ->dynamic
Feb 26 11:08:45 Gateway snort: ->alert
Feb 26 11:08:45 Gateway snort: ->pass
Feb 26 11:08:45 Gateway snort: ->log
Feb 26 11:08:45 Gateway snort:
Feb 26 11:08:45 Gateway snort: Log directory = /var/log/snort
Feb 26 11:08:45 Gateway snort: Snort initialization completed
successfully (pid=7339)
Feb 26 15:22:03 Gateway snort: Final Flow Statistics
Feb 26 15:22:03 Gateway snort: Snort exiting
Feb 26 15:22:03 Gateway snortd: snort shutdown succeeded


######## I ran snortd with INTERFACE=3Dany ###################################

Feb 26 15:22:07 Gateway modprobe: modprobe: Can't locate module 3Dany
Feb 26 15:22:07 Gateway snort: FATAL ERROR: OpenPcap() device 3Dany
open: ^Iioctl: No such device
Feb 26 15:22:07 Gateway snortd: snort startup failed


I feel that in some machines snort is not listening on all interfaces
even when I ran with INTERFACE=any. I got positive results in one of
them. All the machines I use are Red Hat 9.0

Thanks.






-------------------------------------------------------------
HISTORY
--------------------------------------------------------------


On Fri, 25 Feb 2005 16:00:02 -0500, Jiju Menon <security4rrm@gmail.com> wrote:
> 2/24
>
> Hello,
>
> Thanks to Mr. Maria Lopez Hernandez for responding especially for
> clearly pointing the change to me. I am not well versed in scripts.
>
> I did as was advised. When I try to start the service it fails. Is
> there anything more that I should do to get the script running on all
> three interfaces?
>
> Thank you.
>


Message: 6
Subject: Re: [Snort-users] Snort Daemon More Help Needed
From: Jose Maria Lopez Hernandez <jkerouac@bgsec.com>
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>
Organization: bgSEC
Date: Fri, 25 Feb 2005 22:58:17 +0100

El vie, 25-02-2005 a las 16:00 -0500, Jiju Menon escribi=C3=B3:
> 2/24
>=20
> Hello,
>=20
> Thanks to Mr. Maria Lopez Hernandez for responding especially for
> clearly pointing the change to me. I am not well versed in scripts.
>=20
> I did as was advised. When I try to start the service it fails. Is
> there anything more that I should do to get the script running on all
> three interfaces?
>=20
> Thank you.

You have to send to the list the error that snort gives to you.
If there's an error shown when the script runs and also you
can do a "tail -f /var/log/messages" and then run the script
to see what snort says when it tries to start.

If you post that information we maybe can help you further.

Regards.

--=20





> ----------------------------------------------------------------------------------------
> HISTORY
> -----------------------------------------------------------------------------------------
>
> > Message: 7
> > Date: Wed, 23 Feb 2005 17:12:47 -0500
> > From: Jiju Menon <security4rrm@gmail.com>
> > Reply-To: Jiju Menon <security4rrm@gmail.com>
> > To: snort-users@lists.sourceforge.net
> > Subject: [Snort-users] Snort Deamon
> >
> > IHello,
> >
> > I am trying to use a Snort daemon from the website
> > http://msbnetworks.net/snort/snortd.txt,
> >
> > I am running snort on a machine with 3 interfaces and I would like to
> > run snort in all interfaces.
> > There is a parameter INTERFACE= , in the file. What value should I
> > give if I want snort to sniff all interfaces?
> >
> > By default, it takes only eth0 and does not seem to change interface
> > even if I specify eth1, or eth2.
> >
> > Any help is welcome.
> >
> > Thank you
> >
> > --__--__--
> >
> > Message: 8
> > Subject: Re: [Snort-users] Snort Deamon
> > From: Jose Maria Lopez Hernandez <jkerouac@bgsec.com>
> > To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>
> > Organization: bgSEC
> > Date: Wed, 23 Feb 2005 23:46:52 +0100
> >
> > El mi=C3=A9, 23-02-2005 a las 17:12 -0500, Jiju Menon escribi=C3=B3:
> > > IHello,
> > >=20
> > > I am trying to use a Snort daemon from the website
> > > http://msbnetworks.net/snort/snortd.txt,
> > >=20
> > > I am running snort on a machine with 3 interfaces and I would like to
> > > run snort in all interfaces.
> > > There is a parameter INTERFACE=3D , in the file. What value should I
> > > give if I want snort to sniff all interfaces?
> >
> > Just use:
> > INTERFACE=3Dany
> >
> > But you have to change the script. What it's wrong it's the script
> > you are using. It specifies the variable INTERFACE but it doesn't
> > use it later to launch snort, so it won't work.
> >
> > Change the line:
> > daemon /usr/local/bin/snort -u snort -g snort -d -D \
> > -c /etc/snort/snort.conf
> >
> > to:
> >
> > daemon /usr/local/bin/snort -u snort -g snort -d -i $INTERFACE -D \
> > -c /etc/snort/snort.conf
> >
> > and it will work.
> >
> > > By default, it takes only eth0 and does not seem to change interface
> > > even if I specify eth1, or eth2.
> > >=20
> > > Any help is welcome.
> > >=20
> > > Thank you
> >
> > Regards.
> >
> > --=20
> >
> > Jose Maria Lopez Hernandez
> > Director Tecnico de bgSEC
> > jkerouac@bgsec.com
> > bgSEC Seguridad y Consultoria de Sistemas Informaticos
> > http://www.bgsec.com
>


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 02:57 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0