Snort mailing list archives
Snort / Promiscuous
From: "Jim mc" <mckier2002 () hotmail com>
Date: Tue, 12 Nov 2002 08:25:17 +0000
Hi all,Hopefully someone will be able to point me in the right direction.I'm quite new to all this so excude my ignorance/stupididity.
Ive just built a RH 7.1 box and compiled snort : libpcap-0.7.1 snort-1.9.0 To start snort I'm using :/usr/local/snort/snort -i eth1 -c /usr/local/snort/rules/snort.conf -u snort -g snort -b -l /var/snort_log_storage
But it does not seem to be sniffing all the traffic on my hub.I tried running tcpdump and to no avail, it too does not see all the traffic on the hub.
I eventually did manage to get it to work but by only following these steps :
[root@syd-snort /etc]# ifconfig eth1 down [root@syd-snort /etc]# ifconfig eth1 up -promisc [root@syd-snort /etc]# tcpdump -i eth1 src host 10.9.1.202 Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on eth1 0 packets received by filter [root@syd-snort /etc]# tcpdump -i eth1 -p src host 10.9.1.202 Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on eth1 0 packets received by filter [root@syd-snort /etc]# tcpdump -i eth1 src host 10.9.1.202 Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on eth119:04:36.719497 P 10.9.1.202.3288 > syd-snort.ssh: . 3679665:3679665(0) ack 225) 19:04:36.729497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 377 win 8208 (D) 19:04:36.869497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 497 win 8088 (D) 19:04:36.949497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: P 3809133:3809197(6) 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 777 win 7808 (D) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 2921) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 5841) 19:04:36.959497 P 10.9.1.202.3068 > 10.9.1.205.netbios-ssn: . 64:64(0) ack 8256) 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1033 win 7552 () 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1305 win 8760 () 19:04:36.959497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1545 win 8520 () 19:04:37.069497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1665 win 8400 () 19:04:37.269497 P 10.9.1.202.3288 > syd-snort.ssh: . 0:0(0) ack 1785 win 8280 () 19:04:37.429497 P 10.9.1.202.3288 > syd-snort.ssh: P 0:40(40) ack 1905 win 8160)
I'm lost as to why I have to do this ? Has anyone seen this kind of behavior before ?
Thanks in advance, Jim. _________________________________________________________________The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort / Promiscuous Jim mc (Nov 12)