Package: snort
Version: 2.7.0-8
Severity: normal

I have multiple interfaces lan0 and wlan0 (fixed and wireless) on my
computer.  It's a laptop, I only use one at a time depending on where
I happen to be at the time.

I want to be able to run snort as a simple security measure, so that it
keeps watch over either interface, whichever one happens to be running
at the time.  So I configure the two, setting snort/interface as 
"lan0 wlan0".

However, because only one of the interfaces is activated at one time,
snort fails to process the configuration, saying for instance:

Starting Network Intrusion Detection System : snort (lan0 no
/etc/snort/snort.lan0.conf found, defaulting to snort.conf ...done)
(wlan0 no /etc/snort/snort.wlan0.conf found, defaulting to snort.conf
...ERROR: failed (check /var/log/syslog and /var/log/snort)) failed!
invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort (--configure):
 subprocess post-installation script returned error exit status 1
 
Hence dpkg treats snort as unconfigured, and proper installation is
not successful.

Looking at /var/log/syslog, it suggests the failure is simply due to
wlan0 being deactivated (this upgrade was done over lan0):

Jan  3 15:36:58 pug snort[29018]: FATAL ERROR: OpenPcap() device wlan0
open:  
        SIOCGIFHWADDR: No such device 



So snort does not appear to elegantly deal with a temporarily
deactivated interface.  The expected behaviour would be for snort to
simply ignore (or perhaps record a warning against) a missing
interface, and then switch over to monitor that interface, once it is
later activated (perhaps some use of ifupdown's /etc/network/if-up.d/
scripts is needed to achieve this ? )

Thanks,
Drew

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages snort depends on:
ii  adduser                 3.105            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.17           Debian configuration management sy
ii  libc6                   2.7-5            GNU C Library: Shared libraries
ii  libgcrypt11             1.4.0-2          LGPL Crypto library - runtime libr
ii  libgnutls13             2.0.4-1          the GNU TLS library - runtime libr
ii  libgpg-error0           1.4-2            library for common error values an
ii  libltdl3                1.5.24-2         A system independent dlopen wrappe
ii  libpcap0.8              0.9.8-2          System interface for user-level pa
ii  libpcre3                7.3-2            Perl 5 Compatible Regular Expressi
ii  libprelude2             0.9.16.1-1       Hybrid Intrusion Detection System 
ii  libtasn1-3              1.2-1            Manage ASN.1 structures (runtime)
ii  logrotate               3.7.1-3          Log rotation utility
ii  snort-common            2.7.0-8          Flexible Network Intrusion Detecti
ii  snort-common-libraries  2.7.0-8          Flexible Network Intrusion Detecti
ii  snort-rules-default     2.7.0-8          Flexible Network Intrusion Detecti
ii  sysklogd [system-log-da 1.5-1            System Logging Daemon
ii  zlib1g                  1:1.2.3.3.dfsg-8 compression library - runtime

Versions of packages snort recommends:
ii  snort-doc                     2.7.0-8    Documentation for the Snort IDS [d

-- debconf information:
  snort/startup: boot
  snort/please_restart_manually:
  snort/stats_treshold: 1
  snort/options:
* snort/invalid_interface:
* snort/interface: lan0 wlan0
  snort/stats_rcpt: root
  snort/send_stats: true
  snort/config_parameters:
* snort/config_error:
  snort/reverse_order: false
  snort/disable_promiscuous: false



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to