Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Configure snort to use eth1

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 28 Feb 2006 13:49:50 -0700
Can you send me that snortd file?  I'm curious to see how it looks.

James

On Tue, 28 Feb 2006 12:05:35 -0700
"Jim B" <elemint () gmail com> wrote:


That actually worked.   But I just get the following
in /var/log/snort/alert


02/16-08:48:08.515315  [**] [116:3:1] (snort_decoder) WARNING: IP dgm
len < IP Hdr len! [**]
02/16-08:48:08.515323  [**] [116:3:1] (snort_decoder) WARNING: IP dgm
len < IP Hdr len! [**]


Do you recommend running snort manually like that instead of the
using the file in /etc/init.d/snortd?

Here is the output from ps aux |grep snort

root      9660  0.1  4.6 52472 48508 ?       Ss   11:49   0:01 snort
-i eth1 -D -N -c /etc/snort/snort.conf


Jim


On 2/28/06, Jim B <elemint () gmail com> wrote:


I just chaned it:

 grep D /etc/init.d/snortd |grep snort |grep bin
                daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
$NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
                  daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
$NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g
$GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
              daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
$NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g
$GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF -s

but when I do a ps aux |grep snort* I still get *

**
snort     9592  1.8  4.7 54572 48916 ?       Ss   11:37   0:01
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort -s


I know this file is changing things becuase if I enter something
wrong I get an error back and snort does not start.

Jim



On 2/28/06, James Lay <jlay () slave-tothe-box net> wrote:


 Find the line that says snort –D and just add that –i eth1 to it
at the beginning of the line.  Here's mine:



/usr/local/bin/snort -i eth1 -D -N -o -c /etc/snort/snort.conf



James


 ------------------------------

*From:* Jim B [mailto: elemint () gmail com]
*Sent:* Tuesday, February 28, 2006 11:21 AM
*To:* jlay
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Configure snort to use eth1



To make it reflect snort -i eth1, I would just enter that
somewhere in /etc/init.d/snortd?



When I did that I got the following message after trying to
restart snort with /etc/init.d/snort restart




   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.3 (Build 14)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc., et al.

USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, console, or none
(alert file alerts only)
                   "unsock" enables UNIX socket logging
(experimental). -b         Log packets in tcpdump format (much
faster!) -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only
(no hex) -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F <bpf>   Read BPF filters from file <bpf>
        -g <gname> Run snort gid as <gname> group (or gid) after
initialization
        -h <hn>    Home network = <hn>
        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output
        -k <mode>  Checksum mode
(all,noip,notcp,noudp,noicmp,none) -l <ld>    Log to directory
<ld> -L <file>  Log to this tcpdump file
        -m <umask> Set umask = <umask>
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -o         Change the rule testing order to Pass|Alert|Log
        -O         Obfuscate the logged IP addresses
        -p         Disable promiscuous mode sniffing
        -P <snap>  Set explicit snaplen of packet (default: 1514)
        -q         Quiet. Don't show banner and status report
        -r <tf>    Read and process tcpdump file <tf>
        -R <id>    Include 'id' in snort_intf<id>.pid file name
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current Snort
configuration -u <uname> Run snort uid as <uname> user (or uid)
after initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link
layer -y         Include year in timestamp in the alert and log
files -z         Set assurance mode, match on established sesions
(for TCP)
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump


Uh, you need to tell me to do something...

: No such file or directory







Jim





On 2/28/06, *James Lay* < jlay () slave-tothe-box net> wrote:

Modify your /etc/init.d/snortd to reflect:



snort –i eth1 ……



James


 ------------------------------

*From:* snort-users-admin () lists sourceforge net [mailto:
snort-users-admin () lists sourceforge net ] *On Behalf Of *Jim B
*Sent:* Tuesday, February 28, 2006 11:08 AM
*To: *snort-users () lists sourceforge net
*Subject: *Re: [Snort-users] Configure snort to use eth1



I believe the scipt being used is /etc/init.d/snortd, I did
restart the service with /etc/init.d/snortd restart.



I am running Red Hat Enterprise 4, I got the rpm from
rpmfind.net, the rpm is named
snort-2.3.3-1.2.el4.rf.i386.rpm


I installed the rpm with rpm -i  snort-2.3.3-1.2.el4.rf.i386.rpm






Jim



On 2/28/06, *Patrick S. Harper* <
patrick () internetsecurityguru com> wrote:

Are you sure that is the script used to launch snort?  Also, did
you bounce
the service after you made the change?  A little more info like
distro and
install method would help too.


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto: snort-users-admin () lists sourceforge net] On Behalf Of
Jim B Sent: Tuesday, February 28, 2006 10:17 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Configure snort to use eth1

I have changed the config in /etc/init.d/snortd to eth1 but when
I run a "ps
aux grep snort" I still that eth0 is being used and if I grep eth
in /etc/snort/snort.conf there is no reference to use eth0

I want to configure snort to pull traffic from both eth0 and eth1
but mostly
eth1.



Jim











-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: