Snort mailing list archives
RE: Snort Just Not Working With Shadow Interface
From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 4 Aug 2004 16:24:20 -0500
Again, you questioning is confusing. Snort is at version 2.2.0RC1 right now (I am pretty sure you are not using a version that is lower than 1.9.x). Also, what does Nagios have to do with Snort, why do you keep including it in your posts? How are you defining HOME_NET when the interface is configured with an IP address (since you say that you change it when running with an IP)? Once again, I am running Snort on Redhat 9.0 with this config and it is generating alerts all day long: DEVICE=eth1 ONBOOT=yes USRCTL=no You said that snort reads packets without an IP but does not alert. This indicates that Snort is working just fine and that you might have something defined wrong causing Snort to miss everything. If snort is capturing packets then it is functioning. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rhugga Sent: Tuesday, July 20, 2004 8:49 AM To: Snort-User Mailing List Subject: [Snort-users] Snort Just Not Working With Shadow Interface I will be as terse as possible here, because I have tried configs from people that claim they should work but aren't. I have read the documentatrion probably 5 times now, (well the documentation says version 1.0, the link on the website says 1.1, but the version I am using is 1.2) Anyway. My system is vanilla RH 9 with all updates except I build my own openssl library and also using mysql 4.x in /usr/local. ( I have compeltely re-installed since I first started just to eliminate ANY possible issues because some people claim snort 1.2 works as I desire on RH 9) eth0 ------------------------------- IP address: 10.250.200.33 Netmask: 255.255.255.0 SysKonnect Copper GB NIC directly connected to a switch in our Black Diamond. (Cat 6 cabling with no patch panels in between) eth1 -------------------------------- IP address: None Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco 3600 router and 2 Netscreen Firewalls. The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240 Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=0.0.0.0 NETMASK=0.0.0.0 Note: I added this after I initially tried to get it working without adding an IP. I saw this as a solution to some people's problems in the mailing list archvie. If I look at the traffic on eth1: syslog:/usr/local/snort/bin #./snort -i eth1 -v Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ It is reading traffic on eth1. However, when I start nagios it will run, but it will not match anything. I get not a single alert. However, when I assign eth1 a valid IP address on the 65.120.XX.XX network, it immediately starts matching. Within seconds my alert count starts climbing. (Note that when I say I am assigning it a valid IP address I also modify HOME_NET to reflect this) Here is how I define HOME_NET when I am trying to use snort _without_ an IP address: var HOME_NET [10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250. 204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28] var EXTERNAL_NET any What am I doing wrong? According to the documentation and the responses to my first emails, this config is correct. What gives?? Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Just Not Working With Shadow Interface Rhugga (Aug 04)
- <Possible follow-ups>
- RE: Snort Just Not Working With Shadow Interface Joshua Berry (Aug 04)
- RE: Snort Just Not Working With Shadow Interface Harper, Patrick (Aug 04)