snort trouble with packet loggin

[Vincent Chen <vctw () yahoo com>]

Dear all,

I found some ssh,printer access attempts blocked
by my firewall recently but not appeared in snort
alert file. So, I try to enable snort's packet
logging. This is how I start snort 1.8.3 on freebsd
4.5 release:

snort -D -i tun0 -A full -b -u operator -g operator -t
/var/snort -c /conf/snort.conf -l /log

After running hours, packet log file grow to several
megabytes but only few alerts. I use the following
command try to read it but I only got:

snort -v -d -r <log file>

TCPDUMP file reading mode.
Reading network traffic from "packet" file.
snaplen = 1514

        --== Initializing Snort ==--

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com,
www.snort.org)
pcap_loop: bogus savefile header

===============================================================================

Snort processed 0 packets.
.
.
.
Snort received signal 3, exiting


What's 'bogus savefile header'?
How can I get packet logging work properly?

BTW: I add several rules to local.rules try to log
ssh,printer access attempts. Here they are:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "SSH
access attempt";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:
"rpc access attempt";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:
"printer access attempt";)

Will these 3 rules work?


Thanks for your help,

Vincent chen



__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users