Snort and Smoothwall

[Crypt]

Snort is set to start up when smoothwall restarts. Nothing happens with it, and when i try to start it manually i get this as an error:

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
PCAP command: %s

Fatal Error, Quitting...


anyone have any ideas on whats causing this, or how i might fix it?

[Critter]

The best thiing i could recommend to to search google. If you type the following
"OpenPcap() FSM compilation failed" just like it is with quotations, you'll find many others with the same problem as you. One of those results is bound to have your answer.

I'm guessing when i say this, but i think you have a problem with:
libpcap if your using linux or winpcap if your using windows

Critter
http://www.chrisstokes.com

[S3cur|ty4ng31]

What platform are you running on?

If you on windows you probably just need to install winpcap.
If you are on *nix you must run snort with enough privileges to be able to drop you NIC into promiscuous mode.

[Tiger Shark]

I would be concerned if I found that snort would work with a software firewall running. I know it flat doesn't work with ZoneAlarm and technically it shouldn't work with any decent firewall in place.....

A good firewall is the _very_ first thing to inspect a packet. A good firewall will drop any packet that contravenes it's ACL's. Therefore nothing except what is explicitly allowed should ever reach Snort on a properly imlemented firewall application.

If Snort/WinPCap or whatever is able to put the card into promiscuous mode and actually see all packets it's not a good firewall IMO.... Simply because _any_ application that can read and act upon network transmissions before ACL's have been applied are a potential security risk.

Snort doesn't even work well with IPSec implemented on a Win2k box, I haven't tried it with the XP "firewall" but I suspect that you would discover that some ports are open by default if someone scans you properly.

I think you are going to have to drop the firewall for Snort to work properly for you.

[Und3ertak3r]

MY Bloody goodness.. Don't anyone know what the hell SMOOTHWALL is?

The Critter & S3cur|ty4ng31 goto http://www.smoothwall.org/ and read about it..

As for Crypt, What version are you running.. this will help those who are able to help..

Smoothwall is currently in Version 2 beta 7.. And Snort is normaly included as the IDS tool..

Cheers

[S3cur|ty4ng31]

Originally posted here by Und3ertak3r
MY Bloody goodness.. Don't anyone know what the hell SMOOTHWALL is?

The Critter & S3cur|ty4ng31 goto http://www.smoothwall.org/ and read about it..

I actually could care less about smoothwall, goto www.snort.org
My bloody evilness.. did you see what his errors are?

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
PCAP command: %s

Fatal Error, Quitting...

Which is a snort error when a NIC cannot drop into promiscuous mode.

[spazzmatrix]

I have been using smoothwall since (mallard) came out and its pretty sweet. Although not the BEST firewall in the world but damn good. For each version there is a patch for SNORT snort did not work correctly on my orient version then i installed the patches and it works great now.

Since smoothwall is designed to run a specific way its not designed as a "computer" its designed to be a standalone firewall. The forums on the smoothwall site will agree when I say, Smoothwall is a firewall, use it for what it was made for.

If you want to use snort install linux on another computer.

[skiddieleet]

I had a quick question. Let's say I wanted to make a honeypot or have a computer with snort on it outside my network/router. Would I just put in 2 nic cards and have the cable from my cable modem go into one, then another cable go out from the other to my router for my network? If this is correct is there some configuration involved or will it just recognize that you have two cards and autoconfig them? I'm assuming in windows you would just turn on internet connection sharing. Is this assumption correct?
Thanks in advance for any help.

[Tiger Shark]

Heretic: I do this at work on winX systems....

Yes, 2 NICs, Internal can be accessible, External.... Unbind all services and run snort...

ICS would be a no-no.... They won't go automatically.... But check that they are independant.

[skiddieleet]

Thanks for the response Tiger Shark. What if I wanted all traffic to flow through the outside computer normally, only have snort pick out anything suspicious? You said to have each nic separate. How would I do this. Are there some linux distro's that can automatically detect your two nic cards during install and configure it to let traffic flow through that computer like it wasn't there, only have snort sniff the traffic. I don't want to screw up my network though. I have three computers connected to my main router. Then I have another router configured to act as just a switch. This second router has the three computers in my room on it. If I put the computer running snort between the first and second router would this be ok. The only computers running services are the ones in my room and I have virtual servers set up to point to these computers. So if I put the computer with snort in the location described it should pick up any attacks agianst my computers running the services right? I can probably find stuff about this on google so don't kill yourself. First I need a computer to put in this position. Anyone have a spare they can give me. Preferably at least 2.4 GHz, 1 Gig RAM, 128MB video card. Thanks.
edit
testing