Snort mailing list archives

RE: Snort Just Not Working With Shadow Interface

From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 4 Aug 2004 16:24:20 -0500
Again, you questioning is confusing.  Snort is at version 2.2.0RC1 right
now (I am pretty sure you are not using a version that is lower than
1.9.x).  Also, what does Nagios have to do with Snort, why do you keep
including it in your posts?

How are you defining HOME_NET when the interface is configured with an
IP address (since you say that you change it when running with an IP)?

Once again, I am running Snort on Redhat 9.0 with this config and it is
generating alerts all day long:

DEVICE=eth1
ONBOOT=yes
USRCTL=no

You said that snort reads packets without an IP but does not alert.
This indicates that Snort is working just fine and that you might have
something defined wrong causing Snort to miss everything.  If snort is
capturing packets then it is functioning.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rhugga
Sent: Tuesday, July 20, 2004 8:49 AM
To: Snort-User Mailing List
Subject: [Snort-users] Snort Just Not Working With Shadow Interface

I will be as terse as possible here, because I have tried configs from 
people that claim they should work but aren't. I have read the 
documentatrion probably 5 times now, (well the documentation says 
version 1.0, the link on the website says 1.1, but the version I am 
using is 1.2)

Anyway. My system is vanilla RH 9 with all updates except I build my own

openssl library and also using mysql 4.x in /usr/local. ( I have 
compeltely re-installed since I first started just to eliminate ANY 
possible issues because some people claim snort 1.2 works as I desire on

RH  9)

eth0
-------------------------------
IP address: 10.250.200.33
Netmask: 255.255.255.0
SysKonnect Copper GB NIC directly connected to a switch in our Black 
Diamond. (Cat 6 cabling with no patch panels in between)

eth1
--------------------------------
IP address: None
Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco

3600 router and 2 Netscreen Firewalls.

The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240

Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=0.0.0.0
NETMASK=0.0.0.0

Note: I added this after I initially tried to get it working without 
adding an IP. I saw this as a solution to some people's problems in the 
mailing list archvie.

If I look at the traffic on eth1:

syslog:/usr/local/snort/bin #./snort -i eth1 -v
Running in packet dump mode
Log directory = /var/log/snort

Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.3 (Build 27)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

It is reading traffic on eth1. However, when I start nagios it will run,

but it will not match anything. I get not a single alert. However, when 
I assign eth1 a valid IP address on the 65.120.XX.XX network, it 
immediately starts matching. Within seconds my alert count starts 
climbing. (Note that when I say I am assigning it a valid IP address I 
also modify HOME_NET to reflect this)

Here is how I define HOME_NET when I am trying to use snort _without_ an

IP address:
var HOME_NET 
[10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250.
204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28]
var EXTERNAL_NET any

What am I doing wrong? According to the documentation and the responses 
to my first emails, this config is correct.

What gives??

Thx,
Rhugga




-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Snort Just Not Working With Shadow Interface Rhugga (Aug 04)
- <Possible follow-ups>
- RE: Snort Just Not Working With Shadow Interface Joshua Berry (Aug 04)
- RE: Snort Just Not Working With Shadow Interface Harper, Patrick (Aug 04)