[Honeywall] Snort_inline log problem

Earl esammons at hush.com
Wed Jun 27 15:44:24 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LiemPT,

On Wed, 27 Jun 2007 03:07:22 -0400 Phan Thanh Liêm
<liempt at hedspi.hut.edu.vn> wrote:

>I cannot view snort_inline_fast, snort_inline_full through
>Walleye,
>The size of log file always 0.
>###
>[root at roo ~]# ls -al /var/log/snort_inline/20070626
>total 8
>drwxr-xr-x 2 snort snort 4096 Jun 26 15:47 .
>drwxr-xr-x 8 snort snort 4096 Jun 26 15:47 ..
>-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-fast
>-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-full
>-rw------- 1 root  root     0 Jun 26 00:05 tcpdump.log.1182816315
>-rw------- 1 root  root     0 Jun 26 15:11 tcpdump.log.1182870665
>-rw------- 1 root  root     0 Jun 26 15:47 tcpdump.log.1182872873
>###
>
>But I can view snort log file normally:
>[root at roo ~]# ls -al /var/log/snort/20070626
>total 136
>drwxr-xr-x  2 snort snort  4096 Jun 26 00:04 .
>drwxr-xr-x 10 snort snort  4096 Jun 26 15:23 ..
>-rw-------  1 root  root  37685 Jun 26 16:07 snort_fast
>-rw-------  1 root  root  80898 Jun 26 16:07 snort_full


I don't see in bugs in Bugzilla (https://bugs.honeynet.org/) on
this specifically and it doesnt ring any bells so I'll have to dig
into it on a test sytem.  you are sure snort_inline is firing and
not outbound rate limiting (i.e. you would see "OUTBOUND" in
/var/log/iptables) ?


>I also added the USER parameter in /etc/init.d/hflow-snort_inline:
>${SNORT} -D -c ${CONF} -Q -l $DIR/$DATE -u ${USER} -t $DIR
>
>but in the /var/log/messages appears this line.
>Jun 26 15:47:53 roo snort[20334]: Cannot set uid and gid when
>running Snort in inline mode.
>It seems that I can not change the user to run snort_inline.

I don't believe it can drop privs becaus eit needs to be able to
drop packets and to restes and other rootly stuff.  Rob/Patrick?


>My snort_inline dropped packets as I want but it didn't alert me
>anything.
>
>How can I solve this problem?

Will have to look into thte inline logging problem unless anyone
else has seen this or has insight?

Earl
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkaCdc4ACgkQk7+e+4lPSm1lDwCgt6JevJbFX7CsClgDk3qk4NdL6BQA
n3J6pPhpVtPB2AdQv5h6Erg1Lb44
=dCzr
-----END PGP SIGNATURE-----




More information about the Honeywall mailing list