Snort mailing list archives
RE: Promiscuous monitoring
From: Francis Yom <fyom () symmsys com>
Date: 02 Jul 2002 10:24:26 -0400
Thank for the advice Dan, but it's not it. I have snort running on an old but reliable 10BaseT hub. It use to be able to work just fine under the older 1.73 version of snort. I did have problems getting the thing into promisc mode initially. I have a Intel E100B adapter in it. Using the e100.o module you can compile from Intel's source, I could not get it to go promisc. I switched over to the open source (David Hine's) eepro100 module, and I could get it to run in promisc as that point. I do have some snorting. The stream4 preprocessor seems to work and I can detect port 21 stealth activity, but that is it. I have all the rules enabled and the box is a Pentium Pro 180 (400 bogomips). I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM and xfs filesystem. System has run stable - no oops or crashes or any other weirdness. So what do you think? -f PS. Any snorters here from NYC? I'm going to be in town for 4th of July. :-) On Tue, 2002-07-02 at 10:05, Dan Fiorito wrote:
If it is an Auto Sense hub it will act as a switch between speeds. Make sure all devices are running at the same speed. Dan -----Original Message----- From: Francis Yom [mailto:fyom () symmsys com] Sent: Tue 7/2/2002 9:22 AM To: Jason Gauthier Cc: 'Eric Ferguson'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Promiscuous monitoring I have the exact same problem. I hope someone can pass a clue as to what might be causing this. -francis On Tue, 2002-07-02 at 08:02, Jason Gauthier wrote: > My first thought is that the EXTERNAL_NET variable isn't set right. > Is that assigned as "any"? > > > > -----Original Message----- > From: Eric Ferguson [mailto:eric.ferguson () jaguartech com] > Sent: Tuesday, July 02, 2002 7:06 AM > To: snort-users () lists sourceforge net > Subject: [Snort-users] Promiscuous monitoring > > > > I have Snort 1.8.6 running on Red Hat 7.3 with ACID and MySQL. I start > Snort with the -v option to verify that Snort is seeing traffic and all > seems well. My only problem is that attacks (ones I generate myself) are > only logged if directed at the Snort IP address. If I direct an attack to > another machine on the same subnet, Snort does not identify the attack (yes > I am running a hub and not a switch...:-)). Sounds like something simple to > me, I am just not sure what it is. > > > > Thanks, > > > > Eric Ferguson - NNCSE > > 4440 Embassy Drive > > Sykesville, Md. 21784 > > phone: 410-876-0585 > > cell: 443-677-6119 > > email: eric.ferguson () jaguartech com > > > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Promiscuous monitoring Eric Ferguson (Jul 02)
- <Possible follow-ups>
- RE: Promiscuous monitoring Jason Gauthier (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- ipchains intergration electroteque (Jul 02)
- Re: ipchains intergration Skip Carter (Jul 02)