Re: using snort without an IP Addy

[Blake Frantz <blake () mc net>]

You shouldn't have that many errors on your NIC.  Verify the card supports
whatever media you have it connected to..ie 10mbit on a 100mbit feed.

The error :

"Use of uninitialized value in gethostbyaddr at /usr/bin/snort2html line"

is generated by the PERL interpreter when the "-w" switch is used.  It
doesn't necessarily mean something is broke, it means a variable that was
never explicity assigned a value is being used as an R-value.  

Hope this helps.

Blake

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Mon, 2 Jul 2001, Frontgate Lab wrote:

> Thanks Blake.. it was sticking on my netmask on the HOME_NET.. woops
>
>  i got it working mostly | now i just get occasional 
>
> Use of uninitialized value in gethostbyaddr at /usr/bin/snort2html line
> 90 >> i am using snort2html to give me my snortalerts in a daily html
> file ( i belive snort2html only does this on UDP packets) ..  oh well
> one step at a time
>
> > > >
>
>  
> yes it starts on boot and i've verified it running by using ps and top
>
> :)
>
> my ifconfig for eth1 gets me
>
> eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx   
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:359432 errors:1473 dropped:0 overruns:35 frame:2286
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100 
>           Interrupt:10 Base address:0x1000 
>
> and my route statements dont matter since im not sending any packets
> except for the mail and alerts notifications , and those go out the
> internal eth0 interface, which DOES have an ip addy.
>
> ps  should i worry about the number of overruns on the interface?
>
>
>
>
> Blake Frantz wrote:
> > When you type 'ifconfig' do you get info for eth1?  Red Hat doesn't bring
> > up the second interface on boot unless you tell it to.
> >
> > cat /etc/sysconfig/network-scripts/ifcfg-eth1
> >
> > and verify that ONBOOT is set to 'yes'
> >
> > if the file doesn't exist, create it with something similar to the
> > following:
> >
> > <snip>
> > DEVICE=eth1
> > BOOTPROTO=static
> > BROADCAST=192.168.1.255
> > IPADDR=192.168.1.10
> > NETMASK=255.255.255.0
> > NETWORK=192.168.1.0
> > ONBOOT=yes
> > </snip>
> >
> > Hope this helps.
> >
> > Blake
> >
> > =================================================================
> > The Government, like diapers, should be replaced regularly, and
> > often for the same reasons.
> >
> > On Mon, 2 Jul 2001, Frontgate Lab wrote:
> >
> > > Hi all,
> > >
> > > I am using snort with a manually defined HOME_NET and no IP Addy
> > > running on eth1
> > >
> > > I am running RH 7.1 and Snort version 1.7.1  ( the version that ships
> > > with RedHat is 1.7.3 which segfaults.. the 1.7.1 version from
> > > www.snort.org works quite well and is more complete.
> > >
> > > My question is
> > > Why do I seem to be having no luck forcing the creation of alerts when i
> > > nmap scan the servers on the switch where i have snort plugged in?
> > >  It is a flat switch with no vlans.. I am trying to get IDS
> > > notifications on any traffic on that switch.
> > >
> > > any help  appreciated
> > >
> > >  my snort startup looks like this:
> > >
> > > # Source function library.
> > >  /etc/rc.d/init.d/functions
> > >
> > > # Specify your network interface here
> > > INTERFACE=eth1
> > >
> > > # See how we were called.
> > > case "$1" in
> > >   start)
> > >       echo -n "Starting snort: "
> > >       daemon /usr/sbin/snort -u snort -g snort -s -d -D \
> > >               -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf
> > >       touch /var/lock/subsys/snort
> > >
> > >
> > > While i edited the /etc/snort/snort.conf to look like this:
> > >
> > >
> > > var HOME_NET 21X.8X.XX.XX/24
> > > var EXTERNAL_NET any
> > > var DNS_SERVERS [192.XXX.XXX.XXX/32,198.6.1.1/32]
> > >
> > > preprocessor defrag
> > > preprocessor http_decode: 80 8080
> > > preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
> > > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > >
> > >
> > > Shouldn't this work?
> > >
> > > Thanks :)
> > >
> > > Madhav
> > >
> > >
> > > Note: The information contained in this message may be privileged and confidential and protected from disclosure. 
> > >  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering 
> > > this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying 
> > > of this communication is
>
>
> Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
> the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
> message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
> communication is strictly prohibited. If you have received this communication in error, please notify us immediately 
> by replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users