Snort mailing list archives
Re: snort daemon to listen to eth2 and eth3 in promiscuous mode
From: Kaushal Shriyan <kaushalshriyan () gmail com>
Date: Thu, 21 Feb 2013 16:12:36 +0530
Hi Ayodele I have the below settings in my snort.conf -> http://fpaste.org/F8ZO/ cat /tmp/interfaces bond0 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0C inet addr:192.168.73.67 Bcast:192.168.73.255 Mask:255.255.255.0 inet6 addr: fe80::e2db:55ff:fe05:d00c/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:1902153 errors:0 dropped:0 overruns:0 frame:0 TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:232394243 (221.6 MiB) TX bytes:93066331 (88.7 MiB) eth0 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0C UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:1101579 errors:0 dropped:0 overruns:0 frame:0 TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:169722435 (161.8 MiB) TX bytes:93066331 (88.7 MiB) Interrupt:194 Memory:d91a0000-d91b0000 eth1 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0C UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:800574 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:62671808 (59.7 MiB) TX bytes:0 (0.0 b) Interrupt:202 Memory:d91d0000-d91e0000 eth2 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0E inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:64 (64.0 b) TX bytes:492 (492.0 b) Interrupt:210 Memory:d90a0000-d90b0000 eth3 Link encap:Ethernet HWaddr E0:DB:55:05:D0:0F inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:64 (64.0 b) TX bytes:492 (492.0 b) Interrupt:218 Memory:d90d0000-d90e0000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:104 errors:0 dropped:0 overruns:0 frame:0 TX packets:104 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5200 (5.0 KiB) TX bytes:5200 (5.0 KiB) #ps aux | grep snort snort 21011 0.0 0.2 416992 71812 ? Ssl 16:05 0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort root 21031 0.0 0.0 61172 748 pts/0 S+ 16:09 0:00 grep snort I tried running /usr/sbin/snort -c /etc/snort/snort.conf -u snort -g snort --daq afpacket -i eth2:eth3 -Q but i dont see any traffic in /valog/snort/alert file Please let me know if i am missing anything and if you any need any additional certifcate. Also the Datacenter folks have told us the port mirroring is done on the L3 switch running in L2 mode. Regards, Kaushal On Tue, Feb 19, 2013 at 11:25 PM, Kaushal Shriyan <kaushalshriyan () gmail com>wrote:
On Tue, Feb 19, 2013 at 8:12 PM, Ayodele Okeowo <aymacro () gmail com> wrote:Nice! I will assume you are using the bond0 interface as your management interface and it's described in your snort config file. You shouldn't have any problem you just have to change the format of the command line to the one I pasted earlier. AyoThanks a Lot Ayodele. Will update you as i progress and seek help here if i get into issues. Thanks everyone for the kind support. Much Appreciated. Regards, Kaushal
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ray Caparros (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 21)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 21)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ray Caparros (Feb 19)