[Honeywall] Snort_inline log problem

Phan Thanh Liêm liempt at hedspi.hut.edu.vn
Wed Jun 27 03:07:22 EDT 2007


Hello everybody,

I'm LiemPT, a network admin of Hanoi University of Technology.
I've found many useful information in your website, honeynet.org,
especially Honeywall CDROM.

I installed it a month ago.
Everything seems fine but snort_inline log.

I cannot view snort_inline_fast, snort_inline_full through Walleye,
The size of log file always 0.
###
[root at roo ~]# ls -al /var/log/snort_inline/20070626
total 8
drwxr-xr-x 2 snort snort 4096 Jun 26 15:47 .
drwxr-xr-x 8 snort snort 4096 Jun 26 15:47 ..
-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-fast
-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-full
-rw------- 1 root  root     0 Jun 26 00:05 tcpdump.log.1182816315
-rw------- 1 root  root     0 Jun 26 15:11 tcpdump.log.1182870665
-rw------- 1 root  root     0 Jun 26 15:47 tcpdump.log.1182872873
###

But I can view snort log file normally:
[root at roo ~]# ls -al /var/log/snort/20070626
total 136
drwxr-xr-x  2 snort snort  4096 Jun 26 00:04 .
drwxr-xr-x 10 snort snort  4096 Jun 26 15:23 ..
-rw-------  1 root  root  37685 Jun 26 16:07 snort_fast
-rw-------  1 root  root  80898 Jun 26 16:07 snort_full

I also added the USER parameter in /etc/init.d/hflow-snort_inline:
${SNORT} -D -c ${CONF} -Q -l $DIR/$DATE -u ${USER} -t $DIR

but in the /var/log/messages appears this line.
Jun 26 15:47:53 roo snort[20334]: Cannot set uid and gid when running 
Snort in inline mode.
It seems that I can not change the user to run snort_inline.

My snort_inline dropped packets as I want but it didn't alert me anything.

How can I solve this problem?
Thank you very much.

Brgds.
LiemPT.


More information about the Honeywall mailing list