Re: [Snorting 2 NICs]

[Gregory D Hough <mr6re9 () execulink com>]

On June 11, 2002 12:11 am, K.S.NARAYANAN wrote:
> I do in this way without any problem :-
>
> * I have all my rules @ /etc/snort/rules .
I haven't tweaked any rules thus far, since I get no alerts from the external 
interface yet.
> * I have 2 snort.conf files
> o /etc/snortint.conf  ( with more local rules )
> o /etc/snortext.conf  ( with standard snort rules )
OK, I did this...
> * A single snort binary & I call 2 instances of snort like this
> o Snort -c /etc/snortint.conf -I eth0
> o Snort -c /etc/snortext.conf -I eth1
...here is where the trouble begins. The -I switch will not work at all for 
either command:
]# snort -c /usr/local/etc/snort/snortext.conf -I eth1
Log directory = /var/log/snort

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
        parse error
PCAP command: eth1
Fatal Error, Quitting..

But the swich -i does:
]# snort -c /usr/local/etc/snort/snortext.conf -i eth1
Log directory = /var/log/snort

Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned

        --== Initializing Snort ==--
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort/snortext.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database:          user = root
database:          host = localhost
database: password is set
database:   sensor name = farmer6re9.win.not:eth1

database:     sensor id = 3
database: schema version = 105
database: using the "alert" facility
886 Snort rules read...
886 Option Chains linked into 108 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

I am going to let it run like this for a day or so and see what it does. I 
still do not think any alerts will come from the external snort.

One thing I should mention is that being sort of a newbie, I am trying to 
administer most servers /etc from the Webmin GUI. Don't laugh, it is a good 
learning tool. I am comfortable at the command line however. The Webmin tool 
only allows me to set up a single interface. So I use it for the internal and 
fire up the external via the shell. Just out of curiosity, is it possible to 
initialize both interfaces with a single command? For example, Sandro offered 
a snort.multi script, but it was way out of my league. I do run a few scripts 
for port forwarding to a win box, but they are very simple.

Thanks for the suggestions,
farmer6re9
> The above method works well . Any comments please ...
>
> Regards,
>
> Narayan.
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of McCammon,
> Keith Sent: Monday, June 10, 2002 6:39 PM
> To: mr6re9 () execulink com; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] [Snorting 2 NICs]
>
> You should be able to simply install another Snort instance.  Instances can
> share conf and rules files, but not the binary as far as I am aware.  Just
> do "cp snort snort2" and call snort2 for the second instance.
>
> -----Original Message-----
> From: Gregory D Hough [mailto:mr6re9 () execulink com]
> Sent: Monday, June 10, 2002 8:47 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] [Snorting 2 NICs]
>
>
> Greetings Group,
>
> I have Snort running into MySQL. I use ACID to view alerts. Snort works
> fine when started as: snort -c /usr/local/etc/snort/snort.conf -i eth0 -D
> but this
> is my internal interface. When fired up for eth1 (IP address ppp0) I get
> this
> in /var/log/messages:
>
> WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address
> assigned
> Initializing daemon mode
> WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address
> assigned
> PID stat checked out ok, PID set to /var/run
> Writing PID file to "/var/run"
> Snort initialization completed successfully, Snort running
>
> Obviously Snort sees no traffic whatsoever. Is there anyway to initialize
> Snort with two sensors, eth0 and ppp0?
>
> This is on a tutorial HOME_NET, with a Linux gateway machine and two other
> boxes inside, one Linux and one Win. I'd like to continue monitoring the
> internal due to the Win box. I have mulled over the excellent documentation
> for setting the whole thing up, thanks to everyone involved. I just haven't
> found an answer to this type of setup yet.

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users