Snort-Setup for Statistics HOWTO
spoppi at gmx.de
v1.01, Feb 23, 2002
Revision HistoryRevision 1.012002-02-23Revised by: sp- added "Setting up Linux for Snort" section
commented it out to get a more general versionRevision 0.032001-09-19Revised by: sp- added throttle option to swatch.conf
added MD5 checksum section but commented it outRevision 0.022001-09-16Revised by: spSome clarifications as suggested from Greg Sarsons, thx ;)Revision 0.012001-09-04Revised by: spInitial version
This HOWTO describes how to configure Snort version 1.8.3 to be used in
conjunction with the statistical tools ACID (Analysis Console for Intrusion Databases) and !SnortSnarf?. It also intends to get some internal statistics out of snort, e.g. if there are packets dropped.
Additionally a description of how to automatically update Max Vision's
rules, some scripts which may be helpful and a demo swatch configuration is included.
----; Table of Contents; 1. Introduction: ; 1.1. Copyright Information; 1.2. Disclaimer; 1.3. New Versions; 1.4. Credits; 1.5. Feedback; 1.6. Translations; 2. Structure; 3. Technical Overview; 4. Configuration: ; 4.1. Setting up Linux for Snort; 4.2. Configuring Snort; 4.3. Configuring MySQL; 4.4. Configuring ADODB; 4.5. Configuring PHPlot; 4.6. Configuring ACID; 4.7. Configuring !SnortSnarf?; 4.8. Configuring Arachnids_upd; 4.9. Configuring Swatch; 5. Security Issues; 6. Getting Help; 7. Questions and Answers
This document was written when I created an IDS sensor with Snort and
using some statistic tools in order to help others implementing it. If at least one out there can be helped it has been worth the work.
Snort is an excellent Network Intrusion Detection System (NIDS) for various
unices. The Snort homepage can be found at 
http://www.snort.org/. The version
described here is 1.8.3 which was the actual version at the time of writing.
The statistic tools I will describe here are ACID, a database analysis tool
for Snort which can be found at http://www.cert.org/kb/acid/ and
Additional support packages are needed for ACID. These are a PHP4 capable
webserver like apache (http://www.apache.org/), PHPlot used for
creating graphs in PHP (http://www.phplot.com/) and ADODB used
for connecting to databases with PHP (http://php.weblogs.com/ADODB/).
The description also includes which additional software is needed for ACID
and how to configure along with some scripts I use including a changed
version of the snortd initscript and a short chapter about swatch (http://www.stanford.edu/atkins/swatch) a log file watcher script written
in perl. I created a swatch RPM which can be found at http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm.
One hint for those interested in maintaining more than one snort sensor: You
might take a look at IDSPM (IDS Policy Manager) at http://www.activeworx.com/ which is
an application to maintain various sensors with different policies along with
merging capabilities for new rules and a lot more. The only "nasty" thing is
that it runs on W2K/XP and is not (yet?) Open Source.
This document is copyrighted (c) 2001, 2002 Sandro Poppi and is
distributed under the terms of the Linux Documentation Project (LDP) license, stated below.
Unless otherwise stated, Linux HOWTO documents are
copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.
All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.
In short, we wish to promote dissemination of this
information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs.
If you have any questions, please contact
`linux-howto at metalab.unc.edub
No liability for the contents of this documents can be accepted.
Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.
All copyrights are held by their respective owners, unless
specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen
as endorsements.
You are strongly recommended to take a backup of your system
before major installation and backups at regular intervals.
This is the initial release.
The main site for this HOWTO is
Mirrors may be found at the Linux
Documentation Project or Snort homepages.
The newest version of this HOWTO will always be made available on
the main website, in a variety of formats:
****
HTML.
**** ****
compressed
postscript (A4).
**** ****
SGML
source.
****
Credits go to a variaty of people including
****
Martin Roesch `roesch at sourcefire.comb Author of Snort
**** ****
Roman Danyliw `roman at danyliw.comb Author of ACID
**** ****
James Hoagland `hoagland at !SiliconDefense?.comb Author of
**** ****
Stuart Staniford `stuart at !SiliconDefense?.comb Author of
**** ****
Joe !McAlerney? `joey at siliconDefense.comb Author of
**** ****
John Lim `jlim at natsoft.com.myb Author of ADODB
**** ****
Afan Ottenheimer `afan at users.sourceforge.netb Author of
PHPlot
**** ****
Andreas Östling `andreaso at it.su.seb Author of
arachnids_upd
**** ****
Max Vision `vision at whitehats.comb "Distributor" of
vision.rules and maintainer of http://www.whitehats.com/
**** ****
Greg Sarsons `gsarsons at home.comb for proof reading and
suggestions
**** ****
All the peaople on the snort-users mailinglist, they
helped me and of course they will help YOU b;)
**** ****
...
****
If I missed someone it was not because of not honoring her or his work!
Feedback is most certainly welcome for this document. Without
your submissions and input, this document wouldn't exist. Please send your additions, comments and criticisms to the following email address : `spoppi at gmx.deb.
There are currently no translations available.
This document is supposed to be a step by step guide on how to install and
configure snort version 1.8.3, ACID, a web based frontend for
statistical realtime snort data with the underlying MySQL database and its
support packages PHPlot and ADODB, !SnortSnarf?, also a statistical tool with a
web frontend for analysing the snort logfile, arachnids_upd for always
getting the actual rules from Max Vision's http://www.whitehats.com/ site,
and a sample swatch configuration I use to check if snort reports errors
which I do not get because snort has stopped.
Snort is mainly a so called Network Intrusion Detection System (NIDS), it is
Open Source and available for a variaty of unices as well as Microsoft Windows (R).
A NIDS cares for a whole network segment in contrast to a host based IDS
which only cares for the host it is running on.
Since NIDS are mostly used in conjunction with firewalls it is vital to not
being vulnerable for attacks itself. Therefor all interfaces used with snort bound to should be set up without ip addresses. Since this can not be achieved in every configuration, e.g. if you want to bind snort on an isdn interface ippp0, it should be considered to use a standalone computer for snort and set it up as a firewall and router for the dial-up connection too.
For more information on that topic see the
Firewall-HOWTO or my Firewalling+Masquerading+Diald+dynamic IP-HOWTO.
Snort can be used to care for more than one network segment which we will
discuss later.
Snort also can be used as a sniffer to troubleshoot network problems, but
that's not a topic in this document.
ACID, the Analysis Console for Intrusion Databases, is part of the AIR-CERT
project. It makes use of PHPlot, a library for creating nice graphs in PHP, and ADODB, an abstraction library for combining PHP and various database
analysis engine to search and process a database of incidents generated by security-related software such as IDSes and firewalls."''
Max Vision's IDS rules (referred to as vision.rules
because this is the name of the downloadable file) are used to complete the rules shipped with snort.
arachnids_upd is a small but fine perl script which downloads the actual
vision.rules using wget and optionally deletes single rules given in an ASCII file.
This chapter describes the various configuration tasks to get snort and the
tools up and running.
Since I am using !RedHat linux 7.x all the given pathnames and configuration
options are eventually !RedHat specific while there should be no big problem to transfer it to any other distribution.
Instead of doing the work twice I only provide a link to a document
describing the various tasks of compiling/installing MySQL, Apache, ACID
etc. by Jason Lewis: http://www.packetnexus.com/docs/packetnexus/
Please keep in mind that I'm not the author of either the document or the
scripts mentioned there. I didn't even test the scripts so please don't ask me about them ;)
You can start installing snort by getting the actual tarball from
and compile it yourself or try to find precompiled binaries for your distribution.
For version 1.8.3 you can find precompiled binaries for rpm based linux
distributions, FreeBSD, Solaris and Windows at www.snort.org.
I'm no longer maintaining my own RPMS since work hasn't to be done more than
once. But I will offer you my adjusted snortd.multi
initscript at http://www.lug-burghausen.org/projects/Snort-Statistics/snortd.multi.
My old 1.8.1 RPMS with MySQL support (but without PostgreSQL support!) can
still be found at http://www.lug-burghausen.org/projects/Snort-Statistics/snort-1.8.1-4.i386.rpm.
To create a postgreSQL enabled version, download the Source
RPM, edit the spec file and rebuild the RPM. If you are not familiar
with creating RPMs you should have a look on the RPM-HOWTO or http://www.rpm.org/ where
Maximum RPM is located, a downloadable book about RPM
along with other good sources about RPM.
After installing the RPM we have to edit
/etc/snort/snort.conf to reflect our needs. Martin Roesch created the Snort Users Manual which is shipped with the snort tarball and the RPMS as a PDF version. You should have a look on it to see which options you would like to use as not all but only the ones needed for our configuration here will be covered in this document.
Also the example configuration /etc/snort/snort.conf
shipped with the tarball/RPM is a good place to start because of the detailed remarks.
----4.2.1.1. Snort Variables
First we define various variables like HOME_NET, EXTERNAL_NET and
DNS_SERVERS to reflect our network topology. Make sure you use the right addresses or you get weird, or worse, no alarms.
When using snort in a complex environment, let's say one sensor with
multiple interfaces to watch, the definition of HOME_NET and EXTERNAL_NET may be hard or at least results in a very long list, you can set both variables to any. You loose some kind of pre-filtering for the sake of not having to put in dozens of network ranges in a large internal network. And you minimize the performance impact of having snort run through a huge list of addresses for each packet.
To get rid of some nasty messages of (false) portscans define the variable
DNS_SERVERS to hold all ip addresses of dns-servers along with other nodes like network management stations triggering snort's portscan module. This is an ongoing process.
You also can define your own variables here which you can refer to in your
own rules. This is helpful e.g. if using pass rules to suite your environment.
Define all other variables to appropriate values or as in the shipped
/etc/snort/snort.conf to $HOME_NET.
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32? var SMTP_SERVERS $HOME_NET ...
----4.2.1.2. Snort Preprocessors
Next we have to set up the preprocessors to be used. While the more
preprocessors you use you get more triggers for alarms but for the cost of performance. So be careful in choosing preprocessors.
You should also have a look on Marty's ''Snort Users
Manual'' because some preprocessors are deprecated. For those you should use the new introduced ones.
The preprocessors minfrag and
stream are depricated in favor of stream4, and defrag is deprecated by frag2.
frag2 is the new IP defragmentation processor
introduced in snort v1.8 which should be more memory efficient than defrag/minfrag.
From the Snort Users Manual:
The stream4 module provides TCP stream reassembly and stateful analysis capabilities to Snort. Robust stream reassembly capabilities allow Snort to ignore stateless attacks such as stick and snot produce.Stream4 also gives large scale users the ability to track more than 256 simultaneous TCP streams. Stream4 should be able to scale to handle 64,000 simultaneous TCP connections.
The stream4 module consists of two preprocessors
called stream4 and stream4_reassemble, which both have to be used.
There are various options for both preprocessors while we will use only -
for stream4 - detect_scans for getting alarms for portscan events and detect_state_problems to be informed when stream events like evasive RST packets, data on SYN packets and out of window sequence numbers occur.
With stream4_reassemble we use the option
ports all what makes the reassembly catch all ports instead of only some predefined ones. To be honest, this is some kind of paranoic and impacts the cpu utilization of the snort sensor, but since I didn't get any bad results listening on a Pentium III 800 MHz on three 100 Mbit/s full duplex lines with average to low utilization I think it's the better solution.
Two other preprocessors we will use are portscan and
portscan-ignorehosts which are responsible for portscan detection (portscan) and for which hosts portscan detection has to be ignored (portscan-ignorehosts).
For portscan we define to look for every network using
the form 0.0.0.0/0, set the number of port numbers to be accessed in the also to be defined detection period in seconds. Additionally we have to provide the complete path to the portscan logfile.
With portscan-ignorehosts we get rid of some weird
alarms from hosts which talk too much and trigger portscan detection like name servers and network management stations (see variable DNS_SERVERS above).
Some preprocessors which are not (yet) mentioned in Marty's Users Manual
but we will use are unidecode which is a replacement of http_decode and normalizes http and UNICODE attacks, rpc_decode to normalize rpc traffic on a given port, bo to check for back orifice traffic and telnet_decode to normalize telnet negotiation strings.
Other preprocessors like SPADE are not yet covered here but may be in a
future version. Contributions are very welcome b;)
After all that theoretical stuff here is the preprocessor part of
preprocessor frag2
preprocessor stream4: detect_scans detect_state_problems preprocessor stream4_reassemble: ports all preprocessor unidecode: 80 8080 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS
----4.2.1.3. Snort Output Modules
The next part is the configuration of the output modules of which we will
use the syslog module alert_syslog to send alerts to syslog and database to additionally log to a MySQL database.
The alert_syslog module requires some options for what
has to be logged. If like in my case you are using !SnortSnarf? to analyse the logfile you'll have to add the option LOG_PID else
As stated before we will use ACID and thus we need to set up snort to log
to a database. I chose MySQL for no particular reason (well, I've heard more from MySQL than from postgreSQL but that's all).
The database output module requires the following
parameters:
Log to the alert facility. Also possible would be
the log facility. If you would like to get portscan alerts into the database you have to use alert here.
; mysql|postgrsql|odbc|oracle|mssql:
This is the type of database.
; user=`usernameb:
Here you define the username to be used with the database.
; password=`passwordb:
The required password for the given user.
; dbname=`databasenameb:
The name of the database to be used for logging into.
Here you define the host on which the database is running. Use
localhost if the database is running on the snort sensor itself.
Here you put in a unique name which is used to differentiate
between various sensors if more than one is logging into a single database.
Now let's take a look on the output module part of
output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor
If you are using more than one physical snort sensor and would log to a
database I would recommend using a central database on a separate machine. You then can correlate alert data with a single console getting a better overview when attacks are found.
----4.2.1.4. Snort Rule Sets
The rules are the vital part of snort. There are various categories of
rules shipped with snort. They can be found in /etc/snort/, ending with *.rules. The format in version 1.8+ has changed to reflect the classification types. In addition priority settings of the classtypes can also be defined.
If you're using the original snort tarball I suggest copying all rule
files and classification.config into it.
The configuration of classification types is done in
/etc/snort/classification.config. Normally you
don't have to touch it since it is preconfigured for the shipped snort
rules. But if you (again like me) are using Max Vision's
vision.rules you'll have to add some lines because
the classtypes are different. Just copy and paste all config
classification: lines from vision.conf to
/etc/snort/classification.config. And remember
to take the vision.rules for snort 1.8 (called
vision18.rules and
vision18.conf on http://www.whitehats.com/) as the
older ones are not prepared for the new format introduced in snort 1.8!
Here's the /etc/snort/classification.config I
#
#
config classification: unknown,Unknown Traffic,1 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,3 config classification: successful-recon-limited,Information Leak,4 config classification: successful-recon-largescale,Large Scale Information Leak,5 config classification: attempted-dos,Attempted Denial of Service,6 config classification: successful-dos,Denial of Service,7 config classification: attempted-user,Attempted User Privilege Gain,8 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7 config classification: successful-user,Successful User Privilege Gain,9 config classification: attempted-admin,Attempted Administrator Privilege Gain,10 config classification: successful-admin,Successful Administrator Privilege Gain,11
config classification: not-suspicious,policy traffic that is not suspicious,0 config classification: suspicious,suspicious miscellaneous traffic,1 config classification: info-failed,failed information gathering attempt,2 config classification: relay-failed,failed relay attempt,3 config classification: data-failed,failed data integrity attempt,4 config classification: system-failed,failed system integrity attempt,5 config classification: client-failed,failed client integrity attempt,6
config classification: denialofservice,denial of service,7 config classification: info-attempt,information gathering attempt,8 config classification: relay-attempt,relay attempt,9 config classification: data-attempt,data integrity attempt,10 config classification: system-attempt,system integrity attempt,11 config classification: client-attempt,client integrity attempt,12 config classification: data-or-info-attempt,data integrity or information gathering attempt,13 config classification: system-or-info-attempt,system integrity or information gathering attempt,14 config classification: relay-or-info-attempt,relay of information gathering attempt,15
config classification: info-success,successful information gathering attempt,16 config classification: relay-success,successful relay attempt,17 config classification: data-success,successful data integrity attempt,18 config classification: system-success,successful system integrity attempt,19 config classification: client-success,successful client integrity attempt,20
The classification and rule files are included in
/etc/snort/snort.conf. Some rule files used here have been copied from the CVS, e.g. virus.rules because they were not shipped with the standard distribution.
As stated before the vision.rules file will be
fetched via the tool arachnids_upd which is discussed later.
Arachnids_upd changes the name from vision18.rules to
vision.rules but the rules are of course the ones prepared for snort 1.8+.
Since the variable definitions for INTERNAL and EXTERNAL in
vision.rules are not the same as with the snort rules I use a script to change these names. Take a look at the arachnids_upd section below.
- Include classification 8 priority settings
include /etc/snort/classification.config include /etc/snort/exploit.rules include /etc/snort/scan.rules include /etc/snort/finger.rules include /etc/snort/ftp.rules include /etc/snort/telnet.rules include /etc/snort/smtp.rules include /etc/snort/rpc.rules include /etc/snort/rservices.rules include /etc/snort/backdoor.rules include /etc/snort/dos.rules include /etc/snort/ddos.rules include /etc/snort/dns.rules include /etc/snort/netbios.rules include /etc/snort/web-cgi.rules include /etc/snort/web-coldfusion.rules include /etc/snort/web-frontpage.rules include /etc/snort/web-iis.rules include /etc/snort/web-misc.rules include /etc/snort/sql.rules include /etc/snort/x11.rules include /etc/snort/icmp.rules include /etc/snort/shellcode.rules include /etc/snort/misc.rules include /etc/snort/policy.rules include /etc/snort/info.rules
include /etc/snort/virus.rules include /etc/snort/local.rules
include /etc/snort/vision.rules
When you are done with setting up
/etc/snort/snort.conf you should start snort by calling /etc/rc.d/init.d/snortd start and correct any errors you get in the log file /var/log/messages (ignore any database related messages since the database has not been set up at this time, you also may have to document out the output module database). If everything is ok you can go on with configuring the other parts.
In /etc/rc.d/init.d/snortd you should edit at least the
line with the interface to be "snort'ed". Replace the definition of INTERFACE="eth0" with the interface you use. This can be another ethernet (ethx) but also a pppx or ipppx interface, e.g. if you are using ISDN your definition should be like
INTERFACE="ippp0"
If your snort sensor is only listening on one interface it's sufficient to
use the shipped snortd initscript. But if you have more than one interface you may be interested in having a look onto the script I extended for exactly that case. Even when you only have one interface but wish to use swatch the way I do you could copy the swatch parts to the shipped snortd script (see the contrib section of the RPM's documentation).
Next you find the mentioned snortd initscript I extended for snort to listen
on more than one interface. One could now say that you can also use any as an interface name since the underlying libpcap makes this possible, but that's not what I intended to use because I'm not interested in "snorting" the local network where the snort sensor is set up. This should - in a secure environment - be a separate network segment with additional security set up, e.g. a firewall for that segment, so sniffing does not make much sense except if you want to sniff attacks targeted to the snort network itself. Even then, if you use more than one sensor concentrated in that segment you only need to set up one but not all of the sensors for protecting the segment.
I added a new function daemonMult derived from !RedHat's
daemon function found in /etc/rc.d/init.d/functions which is capable of starting a program more than once. I sent !RedHat a patch for their daemon function to introduce a new option --mult which eventually will be added. If that happens the daemonMult function will be obsolete and the call to snort would change from daemonMult ... to daemon --mult .... Let's wait and see.
I also changed the subsystem name from snort to snortd to get rid of error
messages when rebooting (the killall script on a redhat box depends on the correct name), just a little typo.
With my script you can now define multiple interfaces to be watched on,
just use a space separated list with the INTERFACE variable, like in the listing shown below.
Some sanity checks are also included to see if the interface to listen on is
already up and if there is an IP address defined. If there is an IP address defined the correspondig config which on a !RedHat linux box is found in /etc/sysconfig/network-scripts/ifcfg-`interface nameb will be used, else the interface is set up as IP-less in promiscuous mode.
THIS HAS NOT YET BEEN TESTED WITH ANYTHING ELSE THAN ETHERNET INTERFACES! I
WILL HOPEFULLY SOON REVIEW IT WITH ISDN INTERFACES AND REPORT HOW THE DIFFERENCES ARE!
A single snort process is then started on each interface, and also
swatch will be started to check for errors when restarting snort for rule updates (see the swatch section below).
When shutting down snort all IP-less interfaces will be shut down but not
any interfaces with existing IP configurations because that could last to inaccessability if the "snort'ed" interface is vital for the snort sensor (learned that the hard way b;)
Maybe a better solution would be to check the interface's config file for an
entry like
ONBOOT=yes
and only if there is not yes then the interface will be
shut down. But that's not yet implemented.
Now here is the extended snort initscript:
#
#
#
#
. /etc/rc.d/init.d/functions
daemonMult() {
gotbase= user= nicelevel=0 while [ "$1" != "${1##-}" -o "$1" != "${1##+}"?; do case $1 in '') echo '$0: Usage: daemon [+/-nicelevel? {program}' return 1;; --check) shift base=$1 gotbase="yes" shift ;; --user) shift daemon_user=$1 shift ;;
shift ;;
;; esac done
[ -z $gotbase? 88 base=`basename $1`
ulimit -S -c 0 b/dev/null 2b81
[ "$BOOTUP" = "verbose"? 88 echo -n " $base"
if [ -z "$daemon_user"?; then nice -n $nicelevel initlog $INITLOG_ARGS -c "$*" 88 success "$base startup" || failure "$base startup" else nice -n $nicelevel initlog $INITLOG_ARGS -c "su $daemon_user -c \"$*\"" 88 success "$base startup" || failure "$base startup" fi }
INTERFACE="eth1 eth2"
case "$1" in start) if [ -x /usr/bin/swatch? ; then echo -n "Starting swatch: "
/usr/bin/swatch --daemon --tail /var/log/messages --config-file /etc/swatch/swatchrc 8 touch /var/lock/subsys/swatch echo "done." echo fi
for i in `echo "$INTERFACE"` ; do echo -n "Starting snort on interface $i: "
if [[ `/sbin/ifconfig $i 2b81 | /bin/grep -c "Device not found"` = "0" \
if [ `echo $i? ; then
if [ -s "/etc/sysconfig/network-scripts/ifcfg-$i"?; then
/sbin/ifup $i else
/sbin/ifconfig $i up promisc fi fi fi
daemonMult /usr/sbin/snort -u snort -g snort -d -D \
echo done touch /var/lock/subsys/snortd ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snortd
if [ -x /usr/bin/swatch? ; then echo echo -n "Stopping swatch: " kill `ps x|grep "/usr/bin/swatch"|grep -v grep|awk '{ print $1 }'` rm -f /var/lock/subsys/swatch fi
for i in `echo "$INTERFACES"`; do if
lib/CachedMarkup.php (In template 'browse' < 'body' < 'html'):257: Error: Pure virtual
lib/main.php:944: Notice: PageInfo: Cannot find action page
lib/main.php:839: Notice: PageInfo: Unknown action
lib/InlineParser.php:336: Warning: Invalid [] syntax ignored: [[`echo $i | /bin/grep -c "^eth"` = "1" -a \
lib/CachedMarkup.php (In template 'browse' < 'body' < 'html'):257: Error: Pure virtual