Snort mailing list archives

RE: Promiscuous monitoring

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 2 Jul 2002 11:00:28 -0700 (PDT)

On 2 Jul 2002, Francis Yom wrote:

Thank for the advice Dan, but it's not it.  I have snort running on an
old but reliable 10BaseT hub.  It use to be able to work just fine under
the older 1.73 version of snort.


Hrm...  I'd hazard a guess that the system has been upgraded since the 1.73
version.  You might be running into something that's driver releated...

I did have problems getting the thing into promisc mode initially.  I
have a Intel E100B adapter in it.  Using the e100.o module you can
compile from Intel's source, I could not get it to go promisc.  I
switched over to the open source (David Hine's) eepro100 module, and I
could get it to run in promisc as that point.


Try this test:  Run snort and tcpdump at the same time.  You _should_ see the
same packets.  If not, it might be the version of pcap each is linked against.

I do have some snorting.  The stream4 preprocessor seems to work and I
can detect port 21 stealth activity, but that is it.


try:  var EXTERNAL_NET !$HOME_NET

See if that makes a difference.

I have all the rules enabled and the box is a Pentium Pro 180 (400
bogomips).  I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM
and xfs filesystem.  System has run stable  - no oops or crashes or any
other weirdness.

So what do you think?


I know a number of folks are running in a similar config to yours.  I'd have
to guess that it would be something specific to your config, hardware or
network setup.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Promiscuous monitoring Eric Ferguson (Jul 02)
- <Possible follow-ups>
- RE: Promiscuous monitoring Jason Gauthier (Jul 02)
  - RE: Promiscuous monitoring Francis Yom (Jul 02)
- RE: Promiscuous monitoring Francis Yom (Jul 02)
  - RE: Promiscuous monitoring Erek Adams (Jul 02)
    - RE: Promiscuous monitoring Francis Yom (Jul 02)
    - RE: Promiscuous monitoring Erek Adams (Jul 02)
  - ipchains intergration electroteque (Jul 02)
    - Re: ipchains intergration Skip Carter (Jul 02)