Snort and Smoothwall
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Snort and Smoothwall

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    11

    Snort and Smoothwall

    Snort is set to start up when smoothwall restarts. Nothing happens with it, and when i try to start it manually i get this as an error:

    Initializing Network Interface eth0
    ERROR: OpenPcap() FSM compilation failed:
    PCAP command: %s

    Fatal Error, Quitting...


    anyone have any ideas on whats causing this, or how i might fix it?

  2. #2
    Member
    Join Date
    Nov 2003
    Posts
    30
    The best thiing i could recommend to to search google. If you type the following
    "OpenPcap() FSM compilation failed" just like it is with quotations, you'll find many others with the same problem as you. One of those results is bound to have your answer.

    I'm guessing when i say this, but i think you have a problem with:
    libpcap if your using linux or winpcap if your using windows

    Critter
    http://www.chrisstokes.com

  3. #3
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    What platform are you running on?

    If you on windows you probably just need to install winpcap.
    If you are on *nix you must run snort with enough privileges to be able to drop you NIC into promiscuous mode.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I would be concerned if I found that snort would work with a software firewall running. I know it flat doesn't work with ZoneAlarm and technically it shouldn't work with any decent firewall in place.....

    A good firewall is the _very_ first thing to inspect a packet. A good firewall will drop any packet that contravenes it's ACL's. Therefore nothing except what is explicitly allowed should ever reach Snort on a properly imlemented firewall application.

    If Snort/WinPCap or whatever is able to put the card into promiscuous mode and actually see all packets it's not a good firewall IMO.... Simply because _any_ application that can read and act upon network transmissions before ACL's have been applied are a potential security risk.

    Snort doesn't even work well with IPSec implemented on a Win2k box, I haven't tried it with the XP "firewall" but I suspect that you would discover that some ports are open by default if someone scans you properly.

    I think you are going to have to drop the firewall for Snort to work properly for you.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    MY Bloody goodness.. Don't anyone know what the hell SMOOTHWALL is?

    The Critter & S3cur|ty4ng31 goto http://www.smoothwall.org/ and read about it..

    As for Crypt, What version are you running.. this will help those who are able to help..

    Smoothwall is currently in Version 2 beta 7.. And Snort is normaly included as the IDS tool..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Originally posted here by Und3ertak3r
    MY Bloody goodness.. Don't anyone know what the hell SMOOTHWALL is?

    The Critter & S3cur|ty4ng31 goto http://www.smoothwall.org/ and read about it..
    I actually could care less about smoothwall, goto www.snort.org
    My bloody evilness.. did you see what his errors are?

    Initializing Network Interface eth0
    ERROR: OpenPcap() FSM compilation failed:
    PCAP command: %s

    Fatal Error, Quitting...

    Which is a snort error when a NIC cannot drop into promiscuous mode.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    131

    smoothwall rox

    I have been using smoothwall since (mallard) came out and its pretty sweet. Although not the BEST firewall in the world but damn good. For each version there is a patch for SNORT snort did not work correctly on my orient version then i installed the patches and it works great now.

    Since smoothwall is designed to run a specific way its not designed as a "computer" its designed to be a standalone firewall. The forums on the smoothwall site will agree when I say, Smoothwall is a firewall, use it for what it was made for.

    If you want to use snort install linux on another computer.
    Whats a \"START\" button?

  8. #8
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I had a quick question. Let's say I wanted to make a honeypot or have a computer with snort on it outside my network/router. Would I just put in 2 nic cards and have the cable from my cable modem go into one, then another cable go out from the other to my router for my network? If this is correct is there some configuration involved or will it just recognize that you have two cards and autoconfig them? I'm assuming in windows you would just turn on internet connection sharing. Is this assumption correct?
    Thanks in advance for any help.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Heretic: I do this at work on winX systems....

    Yes, 2 NICs, Internal can be accessible, External.... Unbind all services and run snort...

    ICS would be a no-no.... They won't go automatically.... But check that they are independant.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Thanks for the response Tiger Shark. What if I wanted all traffic to flow through the outside computer normally, only have snort pick out anything suspicious? You said to have each nic separate. How would I do this. Are there some linux distro's that can automatically detect your two nic cards during install and configure it to let traffic flow through that computer like it wasn't there, only have snort sniff the traffic. I don't want to screw up my network though. I have three computers connected to my main router. Then I have another router configured to act as just a switch. This second router has the three computers in my room on it. If I put the computer running snort between the first and second router would this be ok. The only computers running services are the ones in my room and I have virtual servers set up to point to these computers. So if I put the computer with snort in the location described it should pick up any attacks agianst my computers running the services right? I can probably find stuff about this on google so don't kill yourself. First I need a computer to put in this position. Anyone have a spare they can give me. Preferably at least 2.4 GHz, 1 Gig RAM, 128MB video card. Thanks.
    edit
    testing

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides