[ale] A snort newbie question
James CE Johnson
jcej at tragus.org
Wed Aug 22 09:02:37 EDT 2001
On Tue, 21 Aug 2001 19:17:43 -0400 (EDT), Jonathan Rickman <jonathan at xcorps.net>
said:
> What version of snort are you running???
Sorry. 1.8.1-RELEASE (Build 74)
Do you suggest a different version?
> I've occasionally had
> problems with snort getting overwhelmed in promiscuous mode. Try the -p
> flag to prevent promisc mode. My gut instinct is that you need to use the
> $ethX_ADDRESS variable on both EXTERNAL and INTERNAL, and kick it out of
> promiscuous mode. That should fix it.
It doesn't seem to like $ethX except for the interface I give to '-i'. With
snort.config set to this:
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET $eth1_ADDRESS
I do this:
# snort -Afull -i eth1 -c snort.conf -p
And get this:
Log directory =
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Initializing Network Interface eth1
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[!] ERROR snort.conf (47): Bad value in variable definition!
Make sure you don't have a "$" in the var name
Fatal Error, Quitting..
I also tried giving it '-i' for both interfaces but it didn't help.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list