Snort mailing list archives
RE: Snort Solaris 8 with quad card
From: Chris Frazier - PA <Chris_Frazier () GMACM COM>
Date: Wed, 3 Apr 2002 09:54:59 -0500
Thanks for the help everyone. The separate conf files and not making fat finger errors did the trick. -----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: Tuesday, April 02, 2002 6:20 PM To: snort-users () lists sourceforge net; 'Chris Frazier - PA' Subject: RE: [Snort-users] Snort Solaris 8 with quad card I always use separate conf files for each instance. I have run snort on a quad card in a Sun box with no problem. jas -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Scott Nursten Sent: Tuesday, April 02, 2002 3:22 PM To: Erek Adams; Chris Frazier - PA Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Solaris 8 with quad card Another very glaring fact is that you are using the same conf.file (or are you?) for both snort processes. Now, it's possible (but IMHO, not likely) that you have your var's setup to cover the networks in both VLAN's...., but if you don't, that could also be the problem. Regards, Scott On 2/4/02 8:28 pm, "Erek Adams" <erek () theadamsfamily net> wrote:
On Tue, 2 Apr 2002, Chris Frazier - PA wrote:I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and have Snort listen on those interfaces using separate commands: snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2 snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3 When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does nothing. If I kill the snort running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans again, I see the traffic.Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and
run
scans, do you see the traffic? Where does this traffic come from? A
third
machine? If just run the qfe3 instance (as above), does it log? Running
a
'snort -vade -i qfe3' while scanning--Does that show any data?So am I doing something completely wrong, or am I trying to do something that is not possible.It all depends. :) 'Not Possible' just means someone else hasn't done it yet. ;-)Any help is greatly appreciated.Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Solaris 8 with quad card Chris Frazier - PA (Apr 02)
- Re: Snort Solaris 8 with quad card Erek Adams (Apr 02)
- Re: Snort Solaris 8 with quad card Scott Nursten (Apr 02)
- RE: Snort Solaris 8 with quad card Jason Lewis (Apr 02)
- Re: Snort Solaris 8 with quad card Scott Nursten (Apr 02)
- <Possible follow-ups>
- RE: Snort Solaris 8 with quad card Chris Frazier - PA (Apr 03)
- Re: Snort Solaris 8 with quad card Erek Adams (Apr 02)