1.8.4b4: "-i any" fails under RedHat 7.1

[David Bianco <bianco () jlab org>]

I've spent most of the day researching this issue, so I'm hoping someone
else out here can give me a clue.

I've got a RedHat 7.1 box (kernel 2.4.9-31) and 3 NICs.  eth0 is the 
primary network interface, connected to our LAN.  eth1 and eth2 are 
connected to our network tap to monitor a different segment.  I want to
have snort monitor eth1 and eth2 in one process.  Both eth1 and eth2
are Intel Pro/1000T gigabit cards, though they are only working 100mb/s
mode.

According to everything I've read, this should work fine.  Snort 1.8.4b4
supports the "any" interface, as does libpcap-0.6.2, which is what I've
got installed on my system.  Indeed, when I run "snort -i any -v" it
starts up and dumps traffic, but it only dumps traffic it sees on eth0.
The startup message from snort even says it's listening on 'any' but I
don't really think it is.  If I start with "snort -i eth1 -v" (or the
equivalent for eth2) I get the expected output. 

If anyone has seen this behavior before or can provide me with a clue,
I'd be grateful.

    Thanks,
      David


-- 
David J. Bianco, GSEC           <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users