Snort mailing list archives
Re: Snort on Linux Help
From: David Wilkeson <davelist () cboss com>
Date: Mon, 26 Nov 2001 11:39:38 -0500
At 08:16 AM 11/26/2001 -0800, you wrote:
David: David Wilkeson wrote:I'm running Redhat which was preinstalled on a new Dell server. libpcap was installed, but when it didn't work I removed it and installed various versions myself.What "various versions"? The only version worth bothering with is at: http://www.tcpdump.org/ and is libpcap-0.6.2.tar.gz
That's the first one I tried. Then I tried 0.6.2-9.i386.rpm and 0.4-29.i386.rpm. I think I am back to 0.6.2.tar.gz, but I will recompile to be sure. All from tcpdump.org
None of them work.What do you mean? They won't compile? They won't install? They compile and install, but then what?You *really* need to be more specific about what you've got, and what's happening, for someone to be able to help you...
They all compile, they all install, none produce any errors. ifconfig when snort is running does not report the interface in promiscuous mode, although I can put it in manually. /var/log/messages reports the interface going in and out of promiscuous mode when snort or eithereal runs, or when I put it into promisc manually. In no case does ethereal or snort see anything other than IP's it is directly talking to, or broadcast addresses. And it's not a physical ethernet problem as a Windows snort box plugged into the same ethernet port works fine.
Do some net cards not support promiscuous mode even when the syslog reports them going into promiscuous mode?promiscuous mode isn't necessary for tcpdump/libpcap to "work" -- it just lets you see more than you might otherwise..If "ifconfig -a" says the particular interface you're talking about is in promiscuous mode, I'd be willing to be that it *is*..
/var/log/messages reports that the interface entered promiscuous mode, but ifconfig -a does not. I can "ifconfig eth0 promisc" and then ifconfig -a says it's in promiscuous mode (messages also says it is), but nothing changes with the snort ourput.
What's the output from "uname -a"?
[root@ids /snort]# uname -a Linux ids 2.4.3-6smp #1 SMP Wed May 16 04:29:16 EDT 2001 i686 unknown
What's the output from "tcpdump -V" if that's working at all...?
tcpdump is not installed anymore. I removed it per snort setup instructions posted on sans.org.
Dave
- JohnAt 02:22 PM 11/21/2001 -0800, you wrote:OK, what flavor of Linux distribution are you running? Have you built your own kernel or are you using the \'stock\' one? RedHat, Mandrake and Slackware all seem to properly support libpcap right out of the box... In any case - until either tcpdump or ethereal work (both use libpcap) you won\'t get anywhere with snort...
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on Linux Help David Wilkeson (Nov 21)
- <Possible follow-ups>
- RE: Snort on Linux Help Michael Aylor (Nov 21)
- RE: Snort on Linux Help David Wilkeson (Nov 21)
- RE: Snort on Linux Help Michael Aylor (Nov 21)
- Message not available
- RE: Snort on Linux Help David Wilkeson (Nov 26)
- RE: Snort on Linux Help Erek Adams (Nov 26)
- Message not available
- Re: Snort on Linux Help David Wilkeson (Nov 26)
- Re: Snort on Linux Help John Sage (Nov 26)
- Re: Snort on Linux Help David Wilkeson (Nov 26)
- Re: Snort on Linux Help John Sage (Nov 26)
- RE: Snort on Linux Help Michael Aylor (Nov 26)
- RE: Snort on Linux Help Michael Aylor (Nov 26)
- RE: Snort on Linux Help David Wilkeson (Nov 27)