Snort mailing list archives
Re: Snort Just Does Not Want To Work on Shadow Interrface
From: Rhugga <snort-list () sandiego420 com>
Date: Tue, 20 Jul 2004 07:43:45 -0700
Joshua Berry wrote:
Sorry my bad, I am also working with nagios at version 1.2, so I got mixed up in my email earlier. The tarball I am working with is snort-2.1.3.tar.How is $HOME_NET configured when you do have an IP address assigned? Also, which version of Snort are you using, you said 1.2, but I think you are wrong as that would be an incredibly old version since we are up to 2.2.0RC1 now. With Redhat I always used something like this: DEVICE=eth1 ONBOOT=yes USRCTL=no -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rhugga Sent: Tuesday, July 20, 2004 8:56 AM To: Snort-User Mailing List Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow InterrfaceI will be as terse as possible here, because I have tried configs from people that claim they should work but aren't. I have read the documentatrion probably 5 times now, (well the documentation says version 1.0, the link on the website says 1.1, but the version I am using is 1.2)Anyway. My system is vanilla RH 9 with all updates except I build my ownopenssl library and also using mysql 4.x in /usr/local. ( I have compeltely re-installed since I first started just to eliminate ANY possible issues because some people claim snort 1.2 works as I desire onRH 9) eth0 ------------------------------- IP address: 10.250.200.33 Netmask: 255.255.255.0SysKonnect Copper GB NIC directly connected to a switch in our Black Diamond. (Cat 6 cabling with no patch panels in between)eth1 -------------------------------- IP address: None Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco 3600 router and 2 Netscreen Firewalls. The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240 Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=0.0.0.0 NETMASK=0.0.0.0Note: I added this after I initially tried to get it working without adding an IP. I saw this as a solution to some people's problems in the mailing list archvie.If I look at the traffic on eth1: syslog:/usr/local/snort/bin #./snort -i eth1 -v Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ It is reading traffic on eth1. However, when I start nagios it will run,but it will not match anything. I get not a single alert. However, when I assign eth1 a valid IP address on the 65.120.XX.XX network, it immediately starts matching. Within seconds my alert count starts climbing. (Note that when I say I am assigning it a valid IP address I also modify HOME_NET to reflect this)Here is how I define HOME_NET when I am trying to use snort _without_ an IP address:var HOME_NET [10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250. 204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28]var EXTERNAL_NET anyWhat am I doing wrong? According to the documentation and the responses to my first emails, this config is correct.What gives?? Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
If I assign interface eth1 a valid IP address on the 65.120.XX.0/28 netowrk, it works using the same HOME_NET you see above. If I use no IP address (ie: just bring the interface up manually and not having an /etc/sysconfig/network-scripts/ifcfg-eth1 file) it does not work. If I use the /etc/sysconfig/network-scripts/ifcfg-eth1 to assign it an IP address of 0.0.0.0 and netmask of 0.0.0.0, it does not work.
Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- <Possible follow-ups>
- RE: Snort Just Does Not Want To Work on Shadow Interrface Joshua Berry (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Harper, Patrick (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)