[Honeywall] Snort_inline log problem

Earl esammons at hush.com
Wed Jun 27 15:44:24 EDT 2007

Hash: SHA1


On Wed, 27 Jun 2007 03:07:22 -0400 Phan Thanh Liêm
<liempt at hedspi.hut.edu.vn> wrote:

>I cannot view snort_inline_fast, snort_inline_full through
>The size of log file always 0.
>[root at roo ~]# ls -al /var/log/snort_inline/20070626
>total 8
>drwxr-xr-x 2 snort snort 4096 Jun 26 15:47 .
>drwxr-xr-x 8 snort snort 4096 Jun 26 15:47 ..
>-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-fast
>-rw------- 1 root  root     0 Jun 26 00:05 snort_inline-full
>-rw------- 1 root  root     0 Jun 26 00:05 tcpdump.log.1182816315
>-rw------- 1 root  root     0 Jun 26 15:11 tcpdump.log.1182870665
>-rw------- 1 root  root     0 Jun 26 15:47 tcpdump.log.1182872873
>But I can view snort log file normally:
>[root at roo ~]# ls -al /var/log/snort/20070626
>total 136
>drwxr-xr-x  2 snort snort  4096 Jun 26 00:04 .
>drwxr-xr-x 10 snort snort  4096 Jun 26 15:23 ..
>-rw-------  1 root  root  37685 Jun 26 16:07 snort_fast
>-rw-------  1 root  root  80898 Jun 26 16:07 snort_full

I don't see in bugs in Bugzilla (https://bugs.honeynet.org/) on
this specifically and it doesnt ring any bells so I'll have to dig
into it on a test sytem.  you are sure snort_inline is firing and
not outbound rate limiting (i.e. you would see "OUTBOUND" in
/var/log/iptables) ?

>I also added the USER parameter in /etc/init.d/hflow-snort_inline:
>${SNORT} -D -c ${CONF} -Q -l $DIR/$DATE -u ${USER} -t $DIR
>but in the /var/log/messages appears this line.
>Jun 26 15:47:53 roo snort[20334]: Cannot set uid and gid when
>running Snort in inline mode.
>It seems that I can not change the user to run snort_inline.

I don't believe it can drop privs becaus eit needs to be able to
drop packets and to restes and other rootly stuff.  Rob/Patrick?

>My snort_inline dropped packets as I want but it didn't alert me
>How can I solve this problem?

Will have to look into thte inline logging problem unless anyone
else has seen this or has insight?

Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5


More information about the Honeywall mailing list