hello peeps i just installed snort for linux before i tell u what probs i am getting i will explain how i installed it just in case there is some thing wrong with the commands i gave ok heres the commands
gzip -d snort-0.9.0.tar.gz
tar xvf snort-0.9.0.tar
cd /home/prodiakl/snort-0.9.0
su
./configure
make
make install NOTE i installed this from root

and i gave snort the command after i installed it
./snort -d ./log ppp1 for it to run in the background on interface ppp1 which is my dial up connection
and i get the folowing
log directory =./log NOTE i allready made i directory for the log under /var/log/snort

ERROR: openPcap() device ppp0 open
socket operation not permitted
fatal error quitting..
is this something obvious that i am just missing or is it a bad install ? im really wandering in the dark with this 1 any help and advice is highly welcome
thanks to all in advance
peace

Just a shot in the dark...is your snort.conf file set up properly? is it where it belongs?

set up properly ? i dont quite follow i cant get it to run at all if thats of any help to u :( sorry still a noob to linux and the answer to your second question snort is installed in to my home directory any idea as to what the errors mean ?

It seems it might be a setting in your kernel acording to this post:
http://archives.neohapsis.com/archives/snort/2000-08/0242.html

Someone asked about the same error, It seems relevent to your problem, might help.

thanks for the link that is the exact error message i am getting
any 1 know how to enable the SOCKET_PACKET socket type in my kernel ? i am dont really wanna mess around with the kernel in case i feck up my computer but if some 1 could explain what this means and point me in the right direction i would really appreciate it

Checked ou the link. Sounds like you have to recompile your kernel. It's bound to happen sooner or later...

This might help you configure the kernel
http://www.tldp.org/HOWTO/Kernel-HOWTO-4.html#ss4.3

Prodikal -

You won't hose your system as long as you keep the old kernel in your boot loader in case the new one doesn't boot. You can have as many different kernels and versions as you want. If you're going to recompile your kernel, I recommend getting 2.4.19 from kernel.org. That way, 1) you have the newest version, and 2) your modules will install to /lib/modules/2.4.19 instead of /lib/modules/2.4.18-3 and overwrite Red Hat's default modules. Then you can add the new kernel to grub without changing your old entry. When you finish, make a symlink from /usr/src/linux-2.4.19 to /usr/src/linux and you should be good as gold.

PM me if you have trouble and I'll try to help.

And don't forget new iptables!

Hi Prodikal,
What Linux distribution you're using? RedHat? Debian?
What kernel version you're using? I think you need kernel 2.4 or later for snort to run properly. If you already have 2.4 or later kernel and you are using RedHat or Debian, you don't really need to install snort from scratch, there is an rpm/deb package.

And if you're using a Linux distro with rpm, you can follow the instruction here may help. <www.snort.org/doc/snort-rh7-mysql.pdf>

./snort -d ./log ppp1

ok, i think i see somthing here..

you cd to
/home/prodiakl/snort-0.9.0
then you execute snort like this
./snort -d ./log ppp1

now this would mean that this log directory that you are specifying on the command line would be at /home/prodiakl/snort-0.9.0/log which you later say you created in /var/log/snort so this should be run like this
/home/prodiakl/snort-0.9.0/snort -d /var/log/snort ppp1
now that will remove the problem i stated above.
and if you havn't already you'll most definately want to double check your snort.conf.

now onto the pcap error. Do you have libpcap installed? I'm not sure how you can tell, but you should check (i'm sure someone here can tell you how).. and you'll want to recompile your kernel, it's a learning experience. also have you tried logging in as root and running that command as opposed to logging in as prodiakl and su'ing to root. perhaps it's a permission problem not allowing a process started by prodiakl to use the pcap library. (just a wild guess).

But i'm sure you could get some more help if you posted what distribution, and versions of your kernel and pcap libraries.

after reading this i'm not sure i actually gave any help or just rambled... hope i helped though.

thanks to all of you problemchild i have allready backed up my kernel it shows up at the boot loader screen under linux bak goon yes i have got libpcap installed to and i tried running the commands under root and i am still getting the same errors ? is libpcap a problem if u r running snort to ? hmm thanks again i will need to do some serious reading i have never compiled my kernel before TY to all of u :D

EDIT: BTW my kernel is 2.4 on redhat 7.3

which libpcap version you're currently using? (rpm -qa | grep libpcap)

im using libpcap 0.7.1 and i didnt download the rpm for it i downloaded the tar ball why ? does it conflict with snort ? plz ppl im at a dead end on this im really hoping i dont need to re-compile my kernel is there any other way ?

I found another site to help you.. from the first site I gave you it said you needed to enable SOCKET_PACKET, next I gave you a site to show you the process of configuring and recompileing your kernel. I don't think you have much of a choice unfortunately but I could be wrong. useing menuconfig

make menuconfig

you can now configure your kernel, I found this site:

http://hints.linuxfromscratch.org/hints/pppoe.txt

Now they are talking about geting some sort of device working, but if you scroll down to the installing the kernel section the process you would folow should be simular.

kinda sounds like your ppp0 interface is already in permiscous mode, hence you cant put it in permiscous mode if its already running in that manner.

Also your synthax is a little screwey. It should be something like this

/usr/local/bin/snort -d -l /var/log/snort -i ppp0 &

you left out the -l for the log directory
you left out the -i for interface
you left out the & to run it in the background.

hmmm slacware linux thanks any way it seems to be proggresing i gave that command and i still got error`s on the interface what am i doing wrong here any 1 ? what do i need to do with interface ppp0 i tried running snort before i connected to the net to and i stll got errors
heres the errors i got if any one could help please feel free i emaild the contact address at the snort website but i didnt get any respose back yet
heres th errors this is the full message i get

initializing net work interface ppp1
ioctl(SIOC+MTU): no such device
automagic MTU discovery failed. using default 1500ERROR: OpenPcap() device ppp1 open
socket Operation not permitted
fatal Error, quitting

after i press enter to get the message away i get this after it

[1]+ Exit 1 /usr/local/bin/snort -d -l /var/log/snort -i ppp1

does any one have an insight to what is going wrong here any help from here is highly appreciated thanks to all who ahve allready replied

hmm.. this is a tough one..
you might want to:
1. check the name of the interface again, as root, run ifconfig.
2. check if the interface is up properly, tcpdump -i <interface-name> and see if you get something on the screen.

That's all I can think of..
btw, make sure you run snort as root. At least for now until you get it working properly then you can think of creating a snort username, etc,etc..

Good luck.

Moch