Snort mailing list archives
Re: Configure snort to use eth1
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 28 Feb 2006 13:49:50 -0700
Can you send me that snortd file? I'm curious to see how it looks. James On Tue, 28 Feb 2006 12:05:35 -0700 "Jim B" <elemint () gmail com> wrote:
That actually worked. But I just get the following in /var/log/snort/alert 02/16-08:48:08.515315 [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 02/16-08:48:08.515323 [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] Do you recommend running snort manually like that instead of the using the file in /etc/init.d/snortd? Here is the output from ps aux |grep snort root 9660 0.1 4.6 52472 48508 ? Ss 11:49 0:01 snort -i eth1 -D -N -c /etc/snort/snort.conf Jim On 2/28/06, Jim B <elemint () gmail com> wrote:I just chaned it: grep D /etc/init.d/snortd |grep snort |grep bin daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF -s but when I do a ps aux |grep snort* I still get * ** snort 9592 1.8 4.7 54572 48916 ? Ss 11:37 0:01 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -s I know this file is changing things becuase if I enter something wrong I get an error back and snort does not start. Jim On 2/28/06, James Lay <jlay () slave-tothe-box net> wrote:Find the line that says snort –D and just add that –i eth1 to it at the beginning of the line. Here's mine: /usr/local/bin/snort -i eth1 -D -N -o -c /etc/snort/snort.conf James ------------------------------ *From:* Jim B [mailto: elemint () gmail com] *Sent:* Tuesday, February 28, 2006 11:21 AM *To:* jlay *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Configure snort to use eth1 To make it reflect snort -i eth1, I would just enter that somewhere in /etc/init.d/snortd? When I did that I got the following message after trying to restart snort with /etc/init.d/snort restart ,,_ -*> Snort! <*- o" )~ Version 2.3.3 (Build 14) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc., et al. USAGE: snort [-options] <filter options> Options: -A Set alert mode: fast, full, console, or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -c <rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F <bpf> Read BPF filters from file <bpf> -g <gname> Run snort gid as <gname> group (or gid) after initialization -h <hn> Home network = <hn> -i <if> Listen on interface <if> -I Add Interface name to alert output -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -l <ld> Log to directory <ld> -L <file> Log to this tcpdump file -m <umask> Set umask = <umask> -n <cnt> Exit after receiving <cnt> packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P <snap> Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r <tf> Read and process tcpdump file <tf> -R <id> Include 'id' in snort_intf<id>.pid file name -s Log alert messages to syslog -S <n=v> Set rules file variable n equal to value v -t <dir> Chroots process to <dir> after initialization -T Test and report on the current Snort configuration -u <uname> Run snort uid as <uname> user (or uid) after initialization -U Use UTC for timestamps -v Be verbose -V Show version number -w Dump 802.11 management and control frames -X Dump the raw packet data starting at the link layer -y Include year in timestamp in the alert and log files -z Set assurance mode, match on established sesions (for TCP) -? Show this information <Filter Options> are standard BPF options, as seen in TCPDump Uh, you need to tell me to do something... : No such file or directory Jim On 2/28/06, *James Lay* < jlay () slave-tothe-box net> wrote: Modify your /etc/init.d/snortd to reflect: snort –i eth1 …… James ------------------------------ *From:* snort-users-admin () lists sourceforge net [mailto: snort-users-admin () lists sourceforge net ] *On Behalf Of *Jim B *Sent:* Tuesday, February 28, 2006 11:08 AM *To: *snort-users () lists sourceforge net *Subject: *Re: [Snort-users] Configure snort to use eth1 I believe the scipt being used is /etc/init.d/snortd, I did restart the service with /etc/init.d/snortd restart. I am running Red Hat Enterprise 4, I got the rpm from rpmfind.net, the rpm is named snort-2.3.3-1.2.el4.rf.i386.rpm I installed the rpm with rpm -i snort-2.3.3-1.2.el4.rf.i386.rpm Jim On 2/28/06, *Patrick S. Harper* < patrick () internetsecurityguru com> wrote: Are you sure that is the script used to launch snort? Also, did you bounce the service after you made the change? A little more info like distro and install method would help too. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto: snort-users-admin () lists sourceforge net] On Behalf Of Jim B Sent: Tuesday, February 28, 2006 10:17 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Configure snort to use eth1 I have changed the config in /etc/init.d/snortd to eth1 but when I run a "ps aux grep snort" I still that eth0 is being used and if I grep eth in /etc/snort/snort.conf there is no reference to use eth0 I want to configure snort to pull traffic from both eth0 and eth1 but mostly eth1. Jim
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configure snort to use eth1 Jim B (Feb 28)
- RE: Configure snort to use eth1 Patrick S. Harper (Feb 28)
- Re: Configure snort to use eth1 Jim B (Feb 28)
- RE: Configure snort to use eth1 James Lay (Feb 28)
- Re: Configure snort to use eth1 Jim B (Feb 28)
- Message not available
- Message not available
- Re: Configure snort to use eth1 Jim B (Feb 28)
- Re: Configure snort to use eth1 James Lay (Feb 28)
- Re: Configure snort to use eth1 Jim B (Feb 28)
- RE: Configure snort to use eth1 Patrick S. Harper (Feb 28)