| View previous topic :: View next topic |
| Author |
Message |
iverson0881
Apprentice
Joined: 08 Jan 2004
Posts: 285
Location: CA
|
 Posted: Sun Oct 31, 2004 8:45 pm Post subject: Snort Problems [Solved] |
 |
|
I followed this guide:
http://gentoo-wiki.com/HOWTO_Use_Snort%2C_Acid%2C_and_MySQL_Effectively
And I'm having problems starting up snort when I run "/etc/init.d/snort start" It fails and says
| Code: |
snort: FATAL ERROR: OpenPcap() device eth0 open: bind: Network is down
|
Currently my setup is that I have an eth0 and then a wireless ath0. My eth0 is hardly ever connected to anything so I need snort to run on ath0. When I run "snort -v" i get:
| Code: | Gentoo omer # snort -v
Running in packet dump mode
Log directory = /var/log/snort
Initializing Network Interface ath0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface ath0
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
10/31-12:42:01.030596 192.168.0.101:32846 -> 192.168.0.1:53
UDP TTL:64 TOS:0x0 ID:54046 IpLen:20 DgmLen:63 DF
Len: 35
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
And it sits there dumping me whatever is connecting to ath0 so I think that means my snort.conf file is configured correctly. But in any case my snort.conf file is:
| Code: |
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output database: alert, mysql, user=snort password=XXX dbname=snort host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
|
If anyone knows what may be going on it'd appreciated. btw I'm running snort-2.2.0 from portage.
Thanks
Last edited by iverson0881 on Wed Nov 03, 2004 1:23 pm; edited 1 time in total |
|
| Back to top |
|
 |
iverson0881
Apprentice
Joined: 08 Jan 2004
Posts: 285
Location: CA
|
| Posted: Mon Nov 01, 2004 6:51 am Post subject: |
|
|
| Hmm well I fixed this issue by removing the driver for my eth0 device (forcedeth) and then modprobing it again and snort started up. So its all working well now. So how may I test if snort is working fine along with Acid. It's reporting stuff in there but should I run Nmap or somethign similar from another machine on the local network? |
|
| Back to top |
|
|
iverson0881
Apprentice
Joined: 08 Jan 2004
Posts: 285
Location: CA
|
| Posted: Mon Nov 01, 2004 7:16 am Post subject: |
|
|
| Ok well the /etc/init.d/snort script doesn't work correctly. Things just don't get logged. If i run "snort -c /etc/snort/snort.conf" things get logged as they should under ACID. So any clues. Let me know if ya need some more info. |
|
| Back to top |
|
|
iverson0881
Apprentice
Joined: 08 Jan 2004
Posts: 285
Location: CA
|
| Posted: Tue Nov 02, 2004 11:01 pm Post subject: |
|
|
| bumpity bump bump |
|
| Back to top |
|
|
SoTired
Apprentice
Joined: 19 May 2004
Posts: 174
|
| Posted: Tue Nov 02, 2004 11:12 pm Post subject: |
|
|
I would check your /etc/conf.d/snort (if it exists, I've only ever actually used snort_inline) and see if it's running snort (SNORT_OPTS=... for snort_inline, at least) with something like -u snort_inline -g snort_inline. I remember that snort_inline wouldn't work for me unless I removed those (and hence had it run as root,) though I'm not sure if that was a snort_inline or general snort thing. It's worth a try, anyways.
If you do let snort run as root however, it would be advisable to pass it something like -t /home/snort_inline or something, so that in case it is exploited the cracker is limited to the chroot. Just be careful, your logs will be reletive to the chroot now. |
|
| Back to top |
|
|
iverson0881
Apprentice
Joined: 08 Jan 2004
Posts: 285
Location: CA
|
| Posted: Wed Nov 03, 2004 1:23 pm Post subject: |
|
|
| thank you thank you! I didn't know this /etc/conf.d/snort had existed. It works great now thanks =) |
|
| Back to top |
|
|
|
Networking & Security
