Snort mailing list archives
Re: using snort without an IP Addy
From: "Frontgate Lab" <mdiwan () wagweb com>
Date: Mon, 02 Jul 2001 17:48:25 -0400
Thanks Blake.. it was sticking on my netmask on the HOME_NET.. woops i got it working mostly | now i just get occasional Use of uninitialized value in gethostbyaddr at /usr/bin/snort2html line 90 >> i am using snort2html to give me my snortalerts in a daily html file ( i belive snort2html only does this on UDP packets) .. oh well one step at a time
yes it starts on boot and i've verified it running by using ps and top :) my ifconfig for eth1 gets me eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:359432 errors:1473 dropped:0 overruns:35 frame:2286 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x1000 and my route statements dont matter since im not sending any packets except for the mail and alerts notifications , and those go out the internal eth0 interface, which DOES have an ip addy. ps should i worry about the number of overruns on the interface? Blake Frantz wrote:
When you type 'ifconfig' do you get info for eth1? Red Hat doesn't bring up the second interface on boot unless you tell it to. cat /etc/sysconfig/network-scripts/ifcfg-eth1 and verify that ONBOOT is set to 'yes' if the file doesn't exist, create it with something similar to the following: <snip> DEVICE=eth1 BOOTPROTO=static BROADCAST=192.168.1.255 IPADDR=192.168.1.10 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes </snip> Hope this helps. Blake ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Mon, 2 Jul 2001, Frontgate Lab wrote:Hi all, I am using snort with a manually defined HOME_NET and no IP Addy running on eth1 I am running RH 7.1 and Snort version 1.7.1 ( the version that ships with RedHat is 1.7.3 which segfaults.. the 1.7.1 version from www.snort.org works quite well and is more complete. My question is Why do I seem to be having no luck forcing the creation of alerts when i nmap scan the servers on the switch where i have snort plugged in? It is a flat switch with no vlans.. I am trying to get IDS notifications on any traffic on that switch. any help appreciated my snort startup looks like this: # Source function library. /etc/rc.d/init.d/functions # Specify your network interface here INTERFACE=eth1 # See how we were called. case "$1" in start) echo -n "Starting snort: " daemon /usr/sbin/snort -u snort -g snort -s -d -D \ -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf touch /var/lock/subsys/snort While i edited the /etc/snort/snort.conf to look like this: var HOME_NET 21X.8X.XX.XX/24 var EXTERNAL_NET any var DNS_SERVERS [192.XXX.XXX.XXX/32,198.6.1.1/32] preprocessor defrag preprocessor http_decode: 80 8080 preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS Shouldn't this work? Thanks :) Madhav Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Wagner Weber & Williams _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode niko (Jul 02)
- Re: spp_http_decode Blake Frantz (Jul 02)
- using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: spp_http_decode Vitaly Osipov (Jul 03)