LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-22-2014, 05:30 PM   #16
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply


Thanks.
The results of the diff comparison are ('snort.conf.old' being the original):

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /etc/snort $ sudo diff -urN snort.conf.old snort.conf
--- snort.conf.old	2014-10-20 01:38:32.893683242 +0100
+++ snort.conf	2014-10-20 23:02:18.250749169 +0100
@@ -85,7 +85,7 @@
 portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712] 
 
 # List of ports you want to look for SHELLCODE on.
-portvar SHELLCODE_PORTS !80
+portvar SHELLCODE_PORTS 80
 
 # List of ports you might see oracle attacks on
 portvar ORACLE_PORTS 1024:
@@ -120,8 +120,8 @@
 # not relative to snort.conf like the above variables
 # This is completely inconsistent with how other vars work, BUG 89986
 # Set the absolute path appropriately
-var WHITE_LIST_PATH /etc/snort/rules
-var BLACK_LIST_PATH /etc/snort/rules
+#var WHITE_LIST_PATH /etc/snort/rules
+#var BLACK_LIST_PATH /etc/snort/rules
 
 ###################################################
 # Step #2: Configure the decoder.  For more information, see README.decode
@@ -146,10 +146,10 @@
 config disable_ipopt_alerts
 
 # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
-# config enable_decode_oversized_alerts
+config enable_decode_oversized_alerts
 
 # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
-# config enable_decode_oversized_drops
+config enable_decode_oversized_drops
 
 # Configure IP / TCP checksum mode
 config checksum_mode: all
@@ -193,7 +193,7 @@
 
 # Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
 #
-# config logdir:
+config logdir:/var/log/snort
 
 
 ###################################################
@@ -530,13 +530,13 @@
 # For more information, see Snort Manual, Configuring Snort - Output Modules
 ###################################################
 
-# unified2 
+#unified2 
 # Recommended for most installs
 # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 
 # Additional configuration for specific types of installs
-# output alert_unified2: filename snort.alert, limit 128, nostamp
+output alert_unified2: filename snort.alert, limit 128, nostamp
 # output log_unified2: filename snort.log, limit 128, nostamp 
 
 # syslog
@@ -584,7 +584,7 @@
 #include $RULE_PATH/browser-webkit.rules
 include $RULE_PATH/chat.rules
 #include $RULE_PATH/content-replace.rules
-include $RULE_PATH/ddos.rules
+#include $RULE_PATH/ddos.rules
 include $RULE_PATH/dns.rules
 include $RULE_PATH/dos.rules
 include $RULE_PATH/experimental.rules
I think I made mess of the logs; what I wanted was to use was var/log/snort/log and alert rather than Barnyard, etc
I can send the original snort.conf if needed, thought there might not be space here.
Take the point about the T test, being bit dozy. Not sure about the warnings, though.

Thanks again,
Fred.
 
Old 10-22-2014, 06:39 PM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
what I wanted was to use was var/log/snort/log and alert rather than Barnyard, etc
There are a few possibilities: none, binary logging (unified), tcpdump packet log, database, syslog and ascii alert log and it may not be clear from reading 'man snort' but just setting the log directory name is not enough. The diff shows you have correctly set the log directory name but you also enabled binary (unified) logging. See 'man snort' for "-A".


Quote:
Originally Posted by Fred Caro View Post
Not sure about the warnings, though.
I don't feel like going over each and every flowbit and other warning but as far as I can see those can be ignored. If running the test succeeds then you should be good to go. BTW you haven't confirmed if you are now able to run Snort in daemon mode and test that's the case. Please do so.
 
Old 10-23-2014, 08:53 PM   #18
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
Ur

Hashed out the 'unified2' option but left all else alone, gave me this:

pcap DAQ configured to passive.
Acquiring network traffic from "-A".
ERROR: Can't set DAQ BPF filter to 'alert-mode full eth1' (pcap_daq_set_filter: pcap_compile: syntax error)!

Perhaps, I'm putting my a's before my b's?

'DAQ BPF' is not present in snort.conf

Oh for sysinit and Debian.

Fred.
 
Old 10-24-2014, 01:56 AM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
Code:
Acquiring network traffic from "-A".
That line (please post errors and the actual command causing it) suggests Snort didn't find its ethernet device because you supplied the switches in the wrong order. Should have looked something like this:
Code:
sudo snort -c /etc/snort/snort.conf -A -D -i eth1
 
Old 10-24-2014, 08:16 PM   #20
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply

I tried another test, with your suggested cmd line:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A -D -i eth1 -v -T
ERROR: Unknown command line alert option: -D
Fatal Error, Quitting..
I did this on the original file and got much the same result, i.e., it bulked on the -D option.
I could purge snort and start again?

Fred.
 
Old 10-24-2014, 08:33 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Aw crap, forgot to supply an argument to "-A".
Guess it pays to actually 'man snort' in a while.
Also note there's no "-T" and no "-v":
Code:
sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1
 
Old 10-25-2014, 03:15 PM   #22
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply

Thanks. I did try the above, the results are:

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1 
[sudo] password for fred: 
Spawning daemon child...
My daemon child 2934 lives...
Daemon parent exiting (0)
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth1
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth0
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort restart
 * Stopping Network Intrusion Detection System  snort                                                                  [ OK ] 
 * Starting Network Intrusion Detection System  snort                                                                  [ OK ] 
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth1
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort status
 * Status of snort daemon(s)                                           [ OK ]
No evidence of snort running on any eth's and not sure how many daemon(s) should be running.

Fred.
 
Old 10-29-2014, 05:27 PM   #23
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth1
Please don't grep for stuff unnecessarily: the output of 'sudo pgrep -lf snort' would do.
Also please check syslog / its own log after you've started it.
 
Old 10-30-2014, 09:17 PM   #24
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply

Thanks for reply.
Not sure what "syslog /" means but tried the following with attendent results:

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ tail -f syslog
Oct 31 00:36:11 fred-HP-Compaq-nc6220-PU982ET-ABU rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="446" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU postfix/sendmail[2858]: fatal: open /etc/postfix/main.cf: No such file or directory
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Tried to mail output of job `cron.daily', but mailer process (/usr/sbin/sendmail) exited with ststus 75
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' started
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[2921]: Updated timestamp for job `cron.weekly' to 2014-10-31
^C
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ cd snort
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ ls
alert  alert.1.gz  snort.log  snort.log.1414262738
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ less snort.log
"snort.log" may be a binary file.  See it anyway? 
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ sudo tail -f syslog
tail: cannot open ‘syslog’ for reading: No such file or directory
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ tail -f syslog
tail: cannot open ‘syslog’ for reading: No such file or directory
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ cd ..
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ tail -f syslog
Oct 31 00:36:11 fred-HP-Compaq-nc6220-PU982ET-ABU rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="446" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.daily' terminated (exit status: 1) (mailing output)
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU postfix/sendmail[2858]: fatal: open /etc/postfix/main.cf: No such file or directory
Oct 31 00:36:44 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Tried to mail output of job `cron.daily', but mailer process (/usr/sbin/sendmail) exited with ststus 75
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' started
Oct 31 00:41:07 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[2921]: Updated timestamp for job `cron.weekly' to 2014-10-31
Oct 31 00:43:05 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Job `cron.weekly' terminated
Oct 31 00:43:05 fred-HP-Compaq-nc6220-PU982ET-ABU anacron[1210]: Normal exit (2 jobs run)
^C
It seems there are more problems than just snort but the existance of 'alert.1.gz' suggests snort is recording something from somewhere.

Fred.
 
Old 11-02-2014, 05:03 AM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
Not sure what "syslog /" means but
I said "check syslog / its own log" so here the forward slash functions as "or". Have you never encountered that?


Quote:
Originally Posted by Fred Caro View Post
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log $ tail -f syslog
Using 'tail' results in displaying entries that appear now in the log file (or starting at any amount lines earlier with the "-n" switch). Ergo if you have (re)started snort earlier on you will not find those entries. You can find those entries with
Code:
grep -i snort /var/log/syslog

Quote:
Originally Posted by Fred Caro View Post
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ ls
alert  alert.1.gz  snort.log  snort.log.1414262738
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /var/log/snort $ less snort.log
"snort.log" may be a binary file.  See it anyway?
As you configured snort.conf that way, in your directory output above "snort.log" either contains unified (binary) or packet logging and "alert" contains plain text alerts. You can find out what files contain with
Code:
file /var/log/snort/*

Also note that you have not returned earlier requested 'sudo pgrep -lf snort' information.
 
Old 11-04-2014, 05:00 PM   #26
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply

Thanks for yor answer.
No I had n't seen the phrase "system /" used before.

Results from 'sudo pgrep -lf snort are':
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo pgrep -lf snort
[sudo] password for fred: 
14444 sudo
I thought tail gave you the last few (10?) lines and -f was follow there after, still similar.

grep for snort in syslog:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo -i snort /var/log/syslog
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: /var/log/syslog
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
ERROR: Can't set DAQ BPF filter to '/var/log/syslog' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..
For 'file' (type):

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo file /var/log/snort/*
/var/log/snort/alert:                empty 
/var/log/snort/alert.1.gz:           gzip compressed data, from Unix, last modified: Sat Oct 25 19:47:10 2014
/var/log/snort/snort.log:            data
/var/log/snort/snort.log.1414262738: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
I ran this:

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /etc/snort $ sudo grep eth1 snort.conf
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /etc/snort $ sudo grep eth0 snort.conf
# config response: eth0 attempts 2
From this outcome perhaps the line in snort.conf:

ipvar Home_Net any

should be reset to:

ipvar Home_Net eth1,eth0

Perhaps?

Thanks again, Fred.
 
Old 11-04-2014, 09:06 PM   #27
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
Code:
Snort BPF option: /var/log/syslog
Acquiring network traffic from "eth0".
ERROR: Can't set DAQ BPF filter to '/var/log/syslog' (pcap_daq_set_filter: pcap_compile: syntax error)!
As you haven't noticed / diagnosed it yourself, couple of remarks here. Snort appears to be listening on eth0 (instead of eth1) and somehow another option was incomplete as it seems to think it now uses a BPF (Berkeley Packet Filter). So either you have fiddled with options again, or maybe it's the Debian startup script, and until you figure out what it is you should run Snort in the way we determined it runs OK:
Code:
sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1
That's neither preferable or satisfactory but that's the best I can suggest for now.
 
1 members found this post helpful.
Old 11-05-2014, 06:47 PM   #28
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
reply

Thanks again, this is becoming a habit, sorry.

I did notice snort is tracking on eth0, this is the problem and that is why I suggested changing the conf file line containing 'any' to 'eth1,eth0'.
I did look for bfp entries in snort.conf, eg:

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo grep -i bpf /etc/snort/snort.conf
[sudo] password for fred: 
# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
# config bpf_file:
There is nothing relating to BPF below that last line I can see.
Then I tried the following:

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1 -v -T
[sudo] password for fred: 
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort stop
 * Stopping Network Intrusion Detection System  snort                                                                          *  - No running snort instance found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1 -v -T
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -c /etc/snort/snort.conf -A fast -D -i eth1
Spawning daemon child...
My daemon child 2884 lives...
Daemon parent exiting (0)
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort status
 * Status of snort daemon(s)                                                                                           [ OK ] 
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo service snort restart
 * Stopping Network Intrusion Detection System  snort                                                                  [ OK ] 
 * Starting Network Intrusion Detection System  snort                                                                  [ OK ] 
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort
2956 snort
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth1
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ pgrep -lf snort | grep eth0
However, now getting this from syslog:

Code:
--
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: [ Number of patterns truncated to 20 bytes: 1039 ]
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: pcap DAQ configured to passive.
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Acquiring network traffic from "eth1".
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Initializing daemon mode
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Daemon initialized, signaled parent pid: 2947
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread starting...
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread started, thread 0x9f36db40 (2957)
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Decoding Ethernet
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Checking PID path...
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: PID path stat checked out ok, PID path set to /var/run/
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Writing PID "2956" to file "/var/run//snort_eth1.pid"
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set gid to 127
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set uid to 116
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: 
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]:         --== Initialization Complete ==--
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Commencing packet processing (pid=2956)
This is the tail end.

pgrep still does not give a eth1 indication syslog seems to, so that seems to be progress?

Thanks for your patience, Fred.

 
Old 11-07-2014, 02:19 AM   #29
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by Fred Caro View Post
However, now getting this from syslog:

Code:
--
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: [ Number of patterns truncated to 20 bytes: 1039 ]
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: pcap DAQ configured to passive.
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Acquiring network traffic from "eth1".
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2947]: Initializing daemon mode
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Daemon initialized, signaled parent pid: 2947
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread starting...
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Reload thread started, thread 0x9f36db40 (2957)
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Decoding Ethernet
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Checking PID path...
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: PID path stat checked out ok, PID path set to /var/run/
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Writing PID "2956" to file "/var/run//snort_eth1.pid"
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set gid to 127
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Set uid to 116
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: 
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]:         --== Initialization Complete ==--
Nov  5 23:27:35 fred-HP-Compaq-nc6220-PU982ET-ABU snort[2956]: Commencing packet processing (pid=2956)
This is the tail end.

pgrep still does not give a eth1 indication syslog seems to, so that seems to be progress?[/CODE]
Yes, it's listening on eth1. That's what you wanted so that's OK.
 
Old 11-08-2014, 08:19 PM   #30
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
Thanks. I will have to look into why it not satisfactory or desirable apart from it (snort) being easier to set up in Debian.

Fred.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I get snort to run as a daemon? 74razor Linux - Software 4 03-10-2014 11:20 AM
wrong ip for eth1 when i run route kimss Linux - Networking 15 07-09-2008 02:33 PM
run snort at startup leprkhn Linux - Newbie 1 07-30-2007 03:17 PM
What is the best Distro to run Snort on? MastaYoda Linux - General 5 12-22-2003 02:24 PM
The Best Distro to run Snort MastaYoda Linux - Software 13 12-22-2003 02:05 PM


All times are GMT -5. The time now is 05:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration