Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort on Linux Help

From: David Wilkeson <davelist () cboss com>
Date: Tue, 27 Nov 2001 12:15:41 -0500
Welp, I finally fixed it. I set up eth1, flipped my cable over, set snort to use eth1, and boom, it started working. My only guess is that eth0 does not support promiscuous mode. I went back and forth a couple of times just to make sure I didn't do anything else differently, and it's definitely the Ethernet card. For anyone else with the problem, it's a Dell PowerEdge 2550 rackmount server. 

Thanks for all your help!

Dave

At 04:20 PM 11/26/2001 -0600, you wrote:

Well, if it were my machine, I'd first delete all rpm's pertaining to
libpcap, then go into the /usr/local/lib and /usr/lib directories and
delete anything that smelled of libpcap.

Then, reinstall from source the 0.6.2 libpcap stuff.  Unfortunately, I
don't know any other way to do it.


Mike

-----Original Message-----
From: David Wilkeson [mailto:davelist () cboss com]
Sent: Monday, November 26, 2001 3:34 PM
To: Michael Aylor
Subject: RE: [Snort-users] Snort on Linux Help


I did that, and they were both loaded (even though I previously thought
I
disabled them).  However, removing them did no good.

The problem is definitely with libpcap.  I completely removed my libpcap

RPMs and snort still started up and did the same thing as it did every
other time.  How can you check what libpcap it is using?

Dave

At 10:47 AM 11/26/2001 -0600, you wrote:
>Oh yeah, thought of something else.
>
>
>When you run ntsysv, does ipchains or iptables show as startup daemons?
>If so, uncheck them, reboot.
>
>
>Mike
>
>-----Original Message-----
>From: David Wilkeson [mailto:davelist () cboss com]
>Sent: Monday, November 26, 2001 10:15 AM
>To: Chris Grout; snort-users () lists sourceforge net
>Subject: RE: [Snort-users] Snort on Linux Help
>
>
>At 03:39 PM 11/21/2001 -0800, you wrote:
> >I'll ask the dumb questions...
> >
> >1.  With Snort or your Ethereal running, does 'ifconfig' really show
> >that interface as being in promiscious mode?
>
>Nope.  However, when I type "ifconfig eth0 promisc" it goes into
>promiscuous mode, but it doesn't change the output of ethereal or
>snort.  So to recap, the syslog indicates the interface entering and
>leaving promiscuous mode, but ifconfig does not report it in
promiscuous
>
>mode unless I manually put it into promiscuous mode.
>
> >2.  You are running this as root or with root priveledges right?  I'd
> >expect it to complain loudly if you weren't but figured I'd ask
>anyways.
> >You do need root privs to put the NIC in to promisc mode and it
sounds
> >like syslog is reporting it as working. (but these are thee dumb
> >questions)
>
>Yes I am.
>
> >3.  What brand of Linux?  RedHat? Debian? Suse?
>
>Redhat, loaded by Dell.
>
> >4.  With it running, do a 'netstat -i' (obsfucate your IP just to be
> >safe), and send me the output.  I think '-i' works in linux...
>
>Are you sure that's the one you want?  It really doesn't show much of
>anything other than counters.
>
>Dave
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users () lists sourceforge net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: