LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-10-2014, 08:27 PM   #1
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Rep: Reputation: 166Reputation: 166
snort will not run on eth1 in mint17


Truth is I cannot see it running on any eth. Set up as usual and took the defaults from 'apt-get install' then went to change the looked at connection in 'snort.debian.conf' from eth0 to eth1 for the wifi. Ran 'pgrep -lf snort | grep eth0 (or eth1) and got nothing. Much has changed in this iteration of Mint, just wondered if I have to do some major config of snort.conf.

Fred.
 
Old 10-11-2014, 01:59 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,896

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
Assuming Mint isn't too different from Debian, here's a step-by-step article at aboutdebian.com which lists packages to install, files to configure, etc.
http://www.aboutdebian.com/snort.htm

I hope it helps you.
 
Old 10-11-2014, 08:53 PM   #3
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
That's a lot of packages and a lot of different setups. I did wonder if anyone had had the same problem on Mint17, much has changed. Snort seemed to work ok almost 'out of the box' before. Sure it is a small config problem??

Fred.
 
Old 10-11-2014, 09:45 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
See snort manual, run without daemon mode and with output to stdout / stderr and with "dry run". Check output for clues and if uncertain post inside vBB "code" tags.
 
Old 10-12-2014, 07:36 PM   #5
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
if right shows snort running eslewhere

My snort manual is from 2011 but the results are as follows:
Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ ./snort -vde
bash: ./snort: No such file or directory
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo ./snort -vde
[sudo] password for fred: 
sudo: ./snort: command not found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo snort -vde
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

Commencing packet processing (pid=3089)
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 196.949008 seconds
Snort processed 0 packets.
Snort ran for 0 days 0 hours 3 minutes 16 seconds
   Pkts/min:            0
   Pkts/sec:            0
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       610304
  Bytes in mapped regions (hblkhd):      6868992
  Total allocated space (uordblks):      488944
  Total free space (fordblks):           121360
  Topmost releasable block (keepcost):   116920
===============================================================================
Packet I/O Totals:
   Received:            0
   Analyzed:            0 (  0.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:            0 (  0.000%)
       VLAN:            0 (  0.000%)
        IP4:            0 (  0.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            0 (  0.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:            0
===============================================================================
Snort exiting
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $
Might have to turn off daemon service first but it did say initializing.

snort directory is this:

"fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ cd /etc/snort; ls
classification.config gen-msg.map rules snort.debian.conf threshold.conf
community-sid-msg.map reference.config snort.conf snort.debian.conf.old unicode.map
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /etc/snort $
"

Fred.
 
Old 10-12-2014, 07:44 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Run snort as
Code:
sudo /path/to/snort -c /path/to/%{whicheverconfyouuse}.conf -i eth1 -v -T 2>&1|tee /tmp/snort.out
then post contents of "/path/to/%{whicheverconfyouuse}.conf" and "/tmp/snort.out"?
 
Old 10-12-2014, 08:25 PM   #7
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
results, Ithink

Code:
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo /etc/snort/ -c /etc/snort/%{snort.debian}.conf -i eth1 -v -T 2>&1|tee /tmp/snort.out
[sudo] password for fred: 
sudo: /etc/snort/: command not found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ cat /tmp/snort.out
sudo: /etc/snort/: command not found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ sudo /etc/snort/ -c /etc/snort/%{snort.debian}.conf -i eth0 -v -T 2>&1|tee /tmp/snort.out
sudo: /etc/snort/: command not found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU ~ $ cd /tmp/
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /tmp $ ls
hsperfdata_fred  icedteaplugin-mdm-IiW73g  ksocket-fred  orbit-fred          snort.out
hsperfdata_mdm   kde-fred                  mintUpdate    pulse-PKdhtXMmr18n  ssh-pXA6Hj6rszFK
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /tmp $ cat snort.out
sudo: /etc/snort/: command not found
fred@fred-HP-Compaq-nc6220-PU982ET-ABU /tmp $
It seems to be no longer using that conf file?

Fred.
 
Old 10-14-2014, 03:07 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Use "/etc/snort/snort.debian.conf" please, I'll forsake the use of undeclared odd variable names ;-p
 
Old 10-15-2014, 07:47 PM   #9
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
unspawn,
thanks for reply, despite the fact I don't know wwhat it means and I did n't spot a -p option. It is the 'snort.debian.conf' that is having little effect.

Fred.
 
Old 10-18-2014, 03:09 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Try this:
Code:
sudo snort -c /etc/snort/snort.debian.conf -i eth1 -v -T 2>&1|tee /tmp/snort.out
then post the contents of /etc/snort/snort.debian.conf and /tmp/snort.out.
 
1 members found this post helpful.
Old 10-19-2014, 10:06 AM   #11
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
snort + mint17+debian.conf

results of /tmp/snort.out:

Code:
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.debian.conf"
ERROR: /etc/snort/snort.debian.conf(16) Invalid configuration line: DEBIAN_SNORT_STARTUP="boot"
contents of snort.debian.conf:

Code:
# snort.debian.config (Debian Snort configuration file)
#
# This file was generated by the post-installation script of the snort
# package using values from the debconf database.
#
# It is used for options that are changed by Debian to leave
# the original configuration files untouched.
#
# This file is automatically updated on upgrades of the snort package
# *only* if it has not been modified since the last upgrade of that package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command as root:
#   dpkg-reconfigure snort

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.0.100/32"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_SEND_STATS="false"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
Not sure why snort can't start at boot, unless home net should be /24.

Thanks for taking the time.

Fred.
 
Old 10-19-2014, 10:52 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
As you can clearly see from the output "/etc/snort/snort.debian.conf" is NOT a valid Snort configuration file.
It has something to do with whatever it is Debian does specifically to start the application.
So first properly configure "/etc/snort/snort.conf".
Then post contents of /tmp/snort.out and /etc/snort/snort.conf.
 
Old 10-19-2014, 08:48 PM   #13
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
will try that but it worked (snort.debian.conf) in Mint13.

Fred.
 
Old 10-20-2014, 08:06 PM   #14
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Original Poster
Rep: Reputation: 166Reputation: 166
ham-fisted snort

Tried to configure snort without a decent result but trial run said it worked, however ugly, but still not running, see attachments!

snort4.txt is snort.conf

snort3.txt is /tmp/snort.out

sorry but could n't edit it to fit in the code bit.

Fred
Attached Files
File Type: txt snort4.txt (29.1 KB, 13 views)
File Type: txt snort3.txt (104.8 KB, 9 views)
 
Old 10-21-2014, 06:16 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by Fred Caro View Post
Tried to configure snort without a decent result
I'm sorry, but what exactly did you try to configure and what exactly should have been the result of that? *Do realize that while you're at the keyboard I have to work with what nfo you provide. So until you provide details, be it actual commands,
Code:
diff -urN /etc/snort/snort.conf.orig /etc/snort/snort.conf
or similarly readable changes (note these file names assert you made a backup before editing the file) or a verbose account of things you'll be facing that kind of questions.


Quote:
Originally Posted by Fred Caro View Post
but trial run said it worked, however ugly, but still not running,
That's because it's test mode. Output looks clean, so starting it like this should put it as daemon in the background:
Code:
sudo snort -c /etc/snort/snort.conf -i eth1 -D
..after which you can test it's running by checking it with something like:
Code:
sudo pgrep -lf snort
..and check the output in your log directory.
*Note if you configured unified logging you will need Barnyard2. See the Snort documentation for more nfo.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I get snort to run as a daemon? 74razor Linux - Software 4 03-10-2014 11:20 AM
wrong ip for eth1 when i run route kimss Linux - Networking 15 07-09-2008 02:33 PM
run snort at startup leprkhn Linux - Newbie 1 07-30-2007 03:17 PM
What is the best Distro to run Snort on? MastaYoda Linux - General 5 12-22-2003 02:24 PM
The Best Distro to run Snort MastaYoda Linux - Software 13 12-22-2003 02:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration