[Honeywall] Snort_inline log problem
esammons at hush.com
Thu Jun 28 01:26:26 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 27 Jun 2007 23:23:59 -0400 Phan Thanh Liêm
<liempt at hedspi.hut.edu.vn> wrote:
>Initially, I installed Honeywall 1.1 and i encountered the same
>problem with snort_inline log.
>I can not view it.
>After that I changed to Honeywall 1.2 and I still can not see
>anything in snort_inline log.
>I'm sure that snort_inline is firing and not outbound rate
>My snort run normally, so I compare the user priv between snort
>[root at roo ~]# ps -ef | grep snort
>snort 28305 1 0 00:04 ? 00:00:07 snort-plain -D -c
>/etc/snort/snort.conf -i eth1 -l /var/log/snort/20070628 -u snort -
>root 30948 1 85 09:52 ? 00:00:05 snort-inline -D -c
>/etc/snort_inline/snort_inline.conf -Q -l
>-u snort -t /var/log/snort_inline
>Snort_inline runs with "root" priv only, doesn't it?
>Then I decided to change the mod of /var/log/snort_inline to 777
>and the owner of /var/log/snort_inline to snort.
>But it didn't solve anything.
>I'll attach my "honeywall.conf", "snort_inline.conf"
I just installed a clean roo-1.2, configured and ran 'nmap -sT -p20-
30 form a Honeyupot to an outsdide host. I see logs and inline
alerts in walleye.
Not sure if enabling additional logging and rules in your
inline.conf has anything to do with tit...
HwHPOT_PUBLIC_IP is not defined in your honeywall.conf which coould
be the problem.
If the output of 'hwctl HwHPOT_PUBLIC_IP' reports that
HwHPOT_PUBLIC_IP is indeed, empty, try adding the list of Honeypot
Walleye - sys admin, honeywall Administration, IP Information
Dialog - honeywall config, mode and IP, Honeypot IP
hwctl - 'hwctl -r HwHPOT_PUBLIC_IP="IP1 IP2 IP2"'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
-----END PGP SIGNATURE-----
More information about the Honeywall