Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort / Promiscuous

From: "Jim mc" <mckier2002 () hotmail com>
Date: Tue, 12 Nov 2002 08:25:17 +0000
Hi all,
Hopefully someone will be able to point me in the right direction.I'm quite new to all this so excude my ignorance/stupididity. 

Ive just built a RH 7.1 box and compiled snort :

libpcap-0.7.1
snort-1.9.0

To start snort I'm using :
/usr/local/snort/snort -i eth1 -c /usr/local/snort/rules/snort.conf -u snort -g snort -b -l /var/snort_log_storage 

But it does not seem to be sniffing all the traffic on my hub.
I tried running tcpdump and to no avail, it too does not see all the traffic on the hub.
I eventually did manage to get it to work but by only following these steps : 

[root@syd-snort /etc]# ifconfig eth1 down
[root@syd-snort /etc]# ifconfig eth1 up -promisc
[root@syd-snort /etc]# tcpdump -i eth1 src host 10.9.1.202
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on eth1

0 packets received by filter

[root@syd-snort /etc]# tcpdump -i eth1 -p src host 10.9.1.202
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on eth1

0 packets received by filter
[root@syd-snort /etc]# tcpdump -i eth1 src host 10.9.1.202
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on eth1
19:04:36.719497 P 10.9.1.202.3288 > syd-snort.ssh: . 3679665:3679665(0) ack 225) 19:04:36.729497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 377 win 8208 (D) 19:04:36.869497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 497 win 8088 (D) 19:04:36.949497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: P 3809133:3809197(6) 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 777 win 7808 (D) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 2921) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 5841) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 8256) 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1033 win 7552 () 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1305 win 8760 () 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1545 win 8520 () 19:04:37.069497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1665 win 8400 () 19:04:37.269497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1785 win 8280 () 19:04:37.429497 P 10.9.1.202.3288 > syd-snort.ssh: P 0:40(40) ack 1905 win 8160)
I'm lost as to why I have to do this ? Has anyone seen this kind of behavior before ? 

Thanks in advance,

Jim.







_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: