-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 27 Jun 2007 23:23:59 -0400 Phan Thanh Liêm <[EMAIL PROTECTED]> wrote: >Dear all, > >Initially, I installed Honeywall 1.1 and i encountered the same >problem with snort_inline log. >I can not view it. >After that I changed to Honeywall 1.2 and I still can not see >anything in snort_inline log. > >I'm sure that snort_inline is firing and not outbound rate >limiting. > >My snort run normally, so I compare the user priv between snort >and snort_inline >[EMAIL PROTECTED] ~]# ps -ef | grep snort >snort 28305 1 0 00:04 ? 00:00:07 snort-plain -D -c >/etc/snort/snort.conf -i eth1 -l /var/log/snort/20070628 -u snort - >t >/var/log/snort -N >root 30948 1 85 09:52 ? 00:00:05 snort-inline -D -c > >/etc/snort_inline/snort_inline.conf -Q -l >/var/log/snort_inline/20070628 >-u snort -t /var/log/snort_inline >Snort_inline runs with "root" priv only, doesn't it? Yes >Then I decided to change the mod of /var/log/snort_inline to 777 >and the owner of /var/log/snort_inline to snort. >But it didn't solve anything. > >I'll attach my "honeywall.conf", "snort_inline.conf" I just installed a clean roo-1.2, configured and ran 'nmap -sT -p20- 30 form a Honeyupot to an outsdide host. I see logs and inline alerts in walleye. Not sure if enabling additional logging and rules in your inline.conf has anything to do with tit... HwHPOT_PUBLIC_IP is not defined in your honeywall.conf which coould be the problem. If the output of 'hwctl HwHPOT_PUBLIC_IP' reports that HwHPOT_PUBLIC_IP is indeed, empty, try adding the list of Honeypot IPs: Walleye - sys admin, honeywall Administration, IP Information Dialog - honeywall config, mode and IP, Honeypot IP hwctl - 'hwctl -r HwHPOT_PUBLIC_IP="IP1 IP2 IP2"' Earl -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkaDQkUACgkQk7+e+4lPSm18OwCfZ3Y1rv4Irs9mlXZV95HIwMjkRcYA oIK1bf1T9F4vEaX0R597JTgnIN1+ =hgy9 -----END PGP SIGNATURE----- _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
