Snort mailing list archives
RE: Promiscuous monitoring
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 2 Jul 2002 11:00:28 -0700 (PDT)
On 2 Jul 2002, Francis Yom wrote:
Thank for the advice Dan, but it's not it. I have snort running on an old but reliable 10BaseT hub. It use to be able to work just fine under the older 1.73 version of snort.
Hrm... I'd hazard a guess that the system has been upgraded since the 1.73 version. You might be running into something that's driver releated...
I did have problems getting the thing into promisc mode initially. I have a Intel E100B adapter in it. Using the e100.o module you can compile from Intel's source, I could not get it to go promisc. I switched over to the open source (David Hine's) eepro100 module, and I could get it to run in promisc as that point.
Try this test: Run snort and tcpdump at the same time. You _should_ see the same packets. If not, it might be the version of pcap each is linked against.
I do have some snorting. The stream4 preprocessor seems to work and I can detect port 21 stealth activity, but that is it.
try: var EXTERNAL_NET !$HOME_NET See if that makes a difference.
I have all the rules enabled and the box is a Pentium Pro 180 (400 bogomips). I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM and xfs filesystem. System has run stable - no oops or crashes or any other weirdness. So what do you think?
I know a number of folks are running in a similar config to yours. I'd have to guess that it would be something specific to your config, hardware or network setup. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Promiscuous monitoring Eric Ferguson (Jul 02)
- <Possible follow-ups>
- RE: Promiscuous monitoring Jason Gauthier (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- RE: Promiscuous monitoring Erek Adams (Jul 02)
- ipchains intergration electroteque (Jul 02)
- Re: ipchains intergration Skip Carter (Jul 02)