just installed snort some probs

./snort -d ./log ppp1

ok, i think i see somthing here..

you cd to
/home/prodiakl/snort-0.9.0
then you execute snort like this
./snort -d ./log ppp1

now this would mean that this log directory that you are specifying on the command line would be at /home/prodiakl/snort-0.9.0/log which you later say you created in /var/log/snort so this should be run like this
/home/prodiakl/snort-0.9.0/snort -d /var/log/snort ppp1
now that will remove the problem i stated above.
and if you havn't already you'll most definately want to double check your snort.conf.

now onto the pcap error. Do you have libpcap installed? I'm not sure how you can tell, but you should check (i'm sure someone here can tell you how).. and you'll want to recompile your kernel, it's a learning experience. also have you tried logging in as root and running that command as opposed to logging in as prodiakl and su'ing to root. perhaps it's a permission problem not allowing a process started by prodiakl to use the pcap library. (just a wild guess).

But i'm sure you could get some more help if you posted what distribution, and versions of your kernel and pcap libraries.

after reading this i'm not sure i actually gave any help or just rambled... hope i helped though.

thanks to all of you problemchild i have allready backed up my kernel it shows up at the boot loader screen under linux bak goon yes i have got libpcap installed to and i tried running the commands under root and i am still getting the same errors ? is libpcap a problem if u r running snort to ? hmm thanks again i will need to do some serious reading i have never compiled my kernel before TY to all of u :D

EDIT: BTW my kernel is 2.4 on redhat 7.3

which libpcap version you're currently using? (rpm -qa | grep libpcap)

im using libpcap 0.7.1 and i didnt download the rpm for it i downloaded the tar ball why ? does it conflict with snort ? plz ppl im at a dead end on this im really hoping i dont need to re-compile my kernel is there any other way ?

I found another site to help you.. from the first site I gave you it said you needed to enable SOCKET_PACKET, next I gave you a site to show you the process of configuring and recompileing your kernel. I don't think you have much of a choice unfortunately but I could be wrong. useing menuconfig

make menuconfig

you can now configure your kernel, I found this site:

http://hints.linuxfromscratch.org/hints/pppoe.txt

Now they are talking about geting some sort of device working, but if you scroll down to the installing the kernel section the process you would folow should be simular.

kinda sounds like your ppp0 interface is already in permiscous mode, hence you cant put it in permiscous mode if its already running in that manner.

Also your synthax is a little screwey. It should be something like this

/usr/local/bin/snort -d -l /var/log/snort -i ppp0 &

you left out the -l for the log directory
you left out the -i for interface
you left out the & to run it in the background.

hmmm slacware linux thanks any way it seems to be proggresing i gave that command and i still got error`s on the interface what am i doing wrong here any 1 ? what do i need to do with interface ppp0 i tried running snort before i connected to the net to and i stll got errors
heres the errors i got if any one could help please feel free i emaild the contact address at the snort website but i didnt get any respose back yet
heres th errors this is the full message i get

initializing net work interface ppp1
ioctl(SIOC+MTU): no such device
automagic MTU discovery failed. using default 1500ERROR: OpenPcap() device ppp1 open
socket Operation not permitted
fatal Error, quitting

after i press enter to get the message away i get this after it

[1]+ Exit 1 /usr/local/bin/snort -d -l /var/log/snort -i ppp1

does any one have an insight to what is going wrong here any help from here is highly appreciated thanks to all who ahve allready replied

hmm.. this is a tough one..
you might want to:
1. check the name of the interface again, as root, run ifconfig.
2. check if the interface is up properly, tcpdump -i <interface-name> and see if you get something on the screen.

That's all I can think of..
btw, make sure you run snort as root. At least for now until you get it working properly then you can think of creating a snort username, etc,etc..

Good luck.

Moch