Snort mailing list archives
RE: Snort Just Does Not Want To Work on Shadow Interrface
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Tue, 20 Jul 2004 11:41:44 -0500
If you are running ./snort -i eth1 -v then it will not match rules, throw a -c /etc/snort/snort.conf in there so it reads your rules files. -----Original Message----- From: Rhugga [mailto:snort-list () sandiego420 com] Sent: Tuesday, July 20, 2004 8:56 AM To: Snort-User Mailing List Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow Interrface I will be as terse as possible here, because I have tried configs from people that claim they should work but aren't. I have read the documentatrion probably 5 times now, (well the documentation says version 1.0, the link on the website says 1.1, but the version I am using is 1.2) Anyway. My system is vanilla RH 9 with all updates except I build my own openssl library and also using mysql 4.x in /usr/local. ( I have compeltely re-installed since I first started just to eliminate ANY possible issues because some people claim snort 1.2 works as I desire on RH 9) eth0 ------------------------------- IP address: 10.250.200.33 Netmask: 255.255.255.0 SysKonnect Copper GB NIC directly connected to a switch in our Black Diamond. (Cat 6 cabling with no patch panels in between) eth1 -------------------------------- IP address: None Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco 3600 router and 2 Netscreen Firewalls. The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240 Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=0.0.0.0 NETMASK=0.0.0.0 Note: I added this after I initially tried to get it working without adding an IP. I saw this as a solution to some people's problems in the mailing list archvie. If I look at the traffic on eth1: syslog:/usr/local/snort/bin #./snort -i eth1 -v Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ It is reading traffic on eth1. However, when I start nagios it will run, but it will not match anything. I get not a single alert. However, when I assign eth1 a valid IP address on the 65.120.XX.XX network, it immediately starts matching. Within seconds my alert count starts climbing. (Note that when I say I am assigning it a valid IP address I also modify HOME_NET to reflect this) Here is how I define HOME_NET when I am trying to use snort _without_ an IP address: var HOME_NET [10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250. 204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28] var EXTERNAL_NET any What am I doing wrong? According to the documentation and the responses to my first emails, this config is correct. What gives?? Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- <Possible follow-ups>
- RE: Snort Just Does Not Want To Work on Shadow Interrface Joshua Berry (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Harper, Patrick (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)