Snort mailing list archives
RE: [Snorting 2 NICs]
From: "K.S.NARAYANAN" <knarayan () mahindrabt com>
Date: Wed, 12 Jun 2002 11:32:44 +0530
o Snort -c /etc/snortint.conf -I eth0 o Snort -c /etc/snortext.conf -I eth1 Sorry that's a mistake ( My outlook 2000 changed the case ). It's snort -c /etc/snortint.conf -i eth0 -D snort -c /etc/snortext.conf -i eth1 -D I haven't tweaked any rules thus far, since I get no alerts from the external interface yet. What's the IP ?? I will make snort to give some alerts ...! ( Don't take it seriously ) . -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Gregory D Hough Sent: Tuesday, June 11, 2002 7:33 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] [Snorting 2 NICs] On June 11, 2002 12:11 am, K.S.NARAYANAN wrote:
I do in this way without any problem :- * I have all my rules @ /etc/snort/rules .
I haven't tweaked any rules thus far, since I get no alerts from the external interface yet.
* I have 2 snort.conf files o /etc/snortint.conf ( with more local rules ) o /etc/snortext.conf ( with standard snort rules )
OK, I did this...
* A single snort binary & I call 2 instances of snort like this o Snort -c /etc/snortint.conf -I eth0 o Snort -c /etc/snortext.conf -I eth1
...here is where the trouble begins. The -I switch will not work at all for
either command:
]# snort -c /usr/local/etc/snort/snortext.conf -I eth1
Log directory = /var/log/snort
Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
parse error
PCAP command: eth1
Fatal Error, Quitting..
But the swich -i does:
]# snort -c /usr/local/etc/snort/snortext.conf -i eth1
Log directory = /var/log/snort
Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup:
eth1: no IPv4 address assigned
--== Initializing Snort ==--
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort/snortext.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database: user = root
database: host = localhost
database: password is set
database: sensor name = farmer6re9.win.not:eth1
database: sensor id = 3
database: schema version = 105
database: using the "alert" facility
886 Snort rules read...
886 Option Chains linked into 108 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
I am going to let it run like this for a day or so and see what it does. I
still do not think any alerts will come from the external snort.
One thing I should mention is that being sort of a newbie, I am trying to
administer most servers /etc from the Webmin GUI. Don't laugh, it is a good
learning tool. I am comfortable at the command line however. The Webmin tool
only allows me to set up a single interface. So I use it for the internal
and
fire up the external via the shell. Just out of curiosity, is it possible to
initialize both interfaces with a single command? For example, Sandro
offered
a snort.multi script, but it was way out of my league. I do run a few
scripts
for port forwarding to a win box, but they are very simple.
Thanks for the suggestions,
farmer6re9
The above method works well . Any comments please ... Regards, Narayan. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of McCammon, Keith Sent: Monday, June 10, 2002 6:39 PM To: mr6re9 () execulink com; snort-users () lists sourceforge net Subject: RE: [Snort-users] [Snorting 2 NICs] You should be able to simply install another Snort instance. Instances
can
share conf and rules files, but not the binary as far as I am aware. Just do "cp snort snort2" and call snort2 for the second instance. -----Original Message----- From: Gregory D Hough [mailto:mr6re9 () execulink com] Sent: Monday, June 10, 2002 8:47 AM To: snort-users () lists sourceforge net Subject: [Snort-users] [Snorting 2 NICs] Greetings Group, I have Snort running into MySQL. I use ACID to view alerts. Snort works fine when started as: snort -c /usr/local/etc/snort/snort.conf -i eth0 -D but this is my internal interface. When fired up for eth1 (IP address ppp0) I get this in /var/log/messages: WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address assigned Initializing daemon mode WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no Ipv4 address assigned PID stat checked out ok, PID set to /var/run Writing PID file to "/var/run" Snort initialization completed successfully, Snort running Obviously Snort sees no traffic whatsoever. Is there anyway to initialize Snort with two sensors, eth0 and ppp0? This is on a tutorial HOME_NET, with a Linux gateway machine and two other boxes inside, one Linux and one Win. I'd like to continue monitoring the internal due to the Win box. I have mulled over the excellent
documentation
for setting the whole thing up, thanks to everyone involved. I just
haven't
found an answer to this type of setup yet.
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Snorting 2 NICs] Gregory D Hough (Jun 10)
- Re: [Snorting 2 NICs] Petr Ruzicka (Jun 10)
- <Possible follow-ups>
- RE: [Snorting 2 NICs] McCammon, Keith (Jun 10)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 10)
- Re: [Snorting 2 NICs] Gregory D Hough (Jun 11)
- Re: [Snorting 2 NICs] Erek Adams (Jun 11)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 11)
- Re: [Snorting 2 NICs] Martin Forest (Jun 13)
- RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 10)
- FW: [Snorting 2 NICs] McCammon, Keith (Jun 10)
- RE: [Snorting 2 NICs] COULOMBE, TROY (Jun 11)