[Honeywall] Snort_inline log problem

Earl esammons at hush.com
Thu Jun 28 01:26:26 EDT 2007

Hash: SHA1

On Wed, 27 Jun 2007 23:23:59 -0400 Phan Thanh Liêm
<liempt at hedspi.hut.edu.vn> wrote:

>Dear all,
>Initially, I installed Honeywall 1.1 and i encountered the same
>problem with snort_inline log.
>I can  not view it.
>After that I changed to Honeywall 1.2 and I still can not see
>anything in snort_inline log.
>I'm sure that snort_inline is firing and not outbound rate
>My snort run normally, so I compare the user priv between snort
>and snort_inline
>[root at roo ~]# ps -ef | grep snort
>snort    28305     1  0 00:04 ?        00:00:07 snort-plain -D -c
>/etc/snort/snort.conf -i eth1 -l /var/log/snort/20070628 -u snort -
>/var/log/snort -N
>root     30948     1 85 09:52 ?        00:00:05 snort-inline -D -c
>/etc/snort_inline/snort_inline.conf -Q -l
>-u snort -t /var/log/snort_inline
>Snort_inline runs with "root" priv only, doesn't it?


>Then I decided to change the mod of /var/log/snort_inline to 777
>and the owner of  /var/log/snort_inline to snort.
>But it didn't solve anything.
>I'll attach my "honeywall.conf", "snort_inline.conf"

I just installed a clean roo-1.2, configured and ran 'nmap -sT -p20-
30 form a Honeyupot to an outsdide host.  I see logs and inline
alerts in walleye.

Not sure if enabling additional logging and rules in your
inline.conf has anything to do with tit...

HwHPOT_PUBLIC_IP is not defined in your honeywall.conf which coould
be the problem.

If the output of 'hwctl HwHPOT_PUBLIC_IP' reports that
HwHPOT_PUBLIC_IP is indeed, empty, try adding the list of Honeypot
Walleye - sys admin, honeywall Administration, IP Information
Dialog - honeywall config, mode and IP, Honeypot IP
hwctl - 'hwctl -r HwHPOT_PUBLIC_IP="IP1 IP2 IP2"'

Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5


More information about the Honeywall mailing list