Snort mailing list archives
RE: Libpcap and 'ip-address-less' interfaces...
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Wed, 5 Dec 2001 10:04:15 -0500
The folks at RedHat did some strange things with libpcap to include the device name in the dump records. See Dave Dittrich's rant in his SSH CRC32 exploit analysis at http://staff.washington.edu/dittrich/misc/ssh-analysis.txt (rougly halfway through the document in the "Network Traffic" section). I recommend downloading a clean libpcap distro and recompiling a static snort binary using the extracted libpcap tarball. Let us know how you make out. -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 -----Original Message----- From: Peter Bates [mailto:Peter.Bates () lshtm ac uk] Sent: Wednesday, December 05, 2001 9:18 AM To: snort-users Subject: [Snort-users] Libpcap and 'ip-address-less' interfaces... Hello all... I've been running snort (currently 1.8.2) for nearly a year or so now without complaint, and only the odd confused moment (on my part!)... I updated recently to a RedHat packaged (this is all running on a hacked-around RH 7.1) version of libpcap-0.6.2, and have seen the following: WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned As you might guess, eth1 is my 'snorting' interface, brought up (as per the FAQ and many discussions here) with just ifconfig eth1 up. Snort here doesn't complain, but many other little apps I'm trying to try that rely on libpcap bomb out because of the lack of IP address. Will sticking a non-routable private IP address on this interface (which faces the 'outside' world) be OK, if it remains promiscuous, or should I be complaining to the authors of these apps to make them behave like Snort, and complain about the lack of IP address, but carry on regardless? Hope this makes some sort of sense... ---------------------------------------------------------------------------- ----------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207- 636 9838 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Libpcap and 'ip-address-less' interfaces... Peter Bates (Dec 05)
- <Possible follow-ups>
- RE: Libpcap and 'ip-address-less' interfaces... Joshua Wright (Dec 05)
- Re: Libpcap and 'ip-address-less' interfaces... Fyodor (Dec 05)
- RE: Libpcap and 'ip-address-less' interfaces... Michael Aylor (Dec 05)