just installed snort some probs

[prodikal]

hello peeps i just installed snort for linux before i tell u what probs i am getting i will explain how i installed it just in case there is some thing wrong with the commands i gave ok heres the commands
gzip -d snort-0.9.0.tar.gz
tar xvf snort-0.9.0.tar
cd /home/prodiakl/snort-0.9.0
su
./configure
make
make install NOTE i installed this from root

and i gave snort the command after i installed it
./snort -d ./log ppp1 for it to run in the background on interface ppp1 which is my dial up connection
and i get the folowing
log directory =./log NOTE i allready made i directory for the log under /var/log/snort

ERROR: openPcap() device ppp0 open
socket operation not permitted
fatal error quitting..
is this something obvious that i am just missing or is it a bad install ? im really wandering in the dark with this 1 any help and advice is highly welcome
thanks to all in advance
peace

[doktorf00bar]

Just a shot in the dark...is your snort.conf file set up properly? is it where it belongs?

[prodikal]

set up properly ? i dont quite follow i cant get it to run at all if thats of any help to u sorry still a noob to linux and the answer to your second question snort is installed in to my home directory any idea as to what the errors mean ?

[aj67my]

It seems it might be a setting in your kernel acording to this post:
http://archives.neohapsis.com/archiv...0-08/0242.html

Someone asked about the same error, It seems relevent to your problem, might help.

[prodikal]

thanks for the link that is the exact error message i am getting
any 1 know how to enable the SOCKET_PACKET socket type in my kernel ? i am dont really wanna mess around with the kernel in case i feck up my computer but if some 1 could explain what this means and point me in the right direction i would really appreciate it

[doktorf00bar]

Checked ou the link. Sounds like you have to recompile your kernel. It's bound to happen sooner or later...

[aj67my]

This might help you configure the kernel
http://www.tldp.org/HOWTO/Kernel-HOWTO-4.html#ss4.3

[problemchild]

Prodikal -

You won't hose your system as long as you keep the old kernel in your boot loader in case the new one doesn't boot. You can have as many different kernels and versions as you want. If you're going to recompile your kernel, I recommend getting 2.4.19 from kernel.org. That way, 1) you have the newest version, and 2) your modules will install to /lib/modules/2.4.19 instead of /lib/modules/2.4.18-3 and overwrite Red Hat's default modules. Then you can add the new kernel to grub without changing your old entry. When you finish, make a symlink from /usr/src/linux-2.4.19 to /usr/src/linux and you should be good as gold.

PM me if you have trouble and I'll try to help.

[doktorf00bar]

And don't forget new iptables!

[mochacin0]

Hi Prodikal,
What Linux distribution you're using? RedHat? Debian?
What kernel version you're using? I think you need kernel 2.4 or later for snort to run properly. If you already have 2.4 or later kernel and you are using RedHat or Debian, you don't really need to install snort from scratch, there is an rpm/deb package.

And if you're using a Linux distro with rpm, you can follow the instruction here may help. <www.snort.org/doc/snort-rh7-mysql.pdf>