RE: Do not want to take the right Sensor...??

["O'Flynn, Derek" <DOFlyn () lsuhsc edu>]

If I'm not mistaken, I believe you have to start snort with the correct
interface from the command line.

snort -T -i ne3 -c etc/snort.conf


-----Original Message-----
From: Thierry [mailto:lenaig () wanadoo fr] 
Sent: Wednesday, November 13, 2002 5:07 PM
To: snort-users
Subject: [Snort-users] Do not want to take the right Sensor...??

Hi all,
I am running, or trying to run snort-1.9.0, on OpenBSD 3.2.
Evrything is working, Acid/apache/php4/Mysql...but snort is taking the wrong

sensor...

ifconfig -a:

ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:80:c8:f2:db:cc
        media: Ethernet autoselect (10baseT)
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::280:c8ff:fef2:dbcc%ne3 prefixlen 64 scopeid 0x1
ep0:
flags=8963<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST>mtu 
1500
        address: 00:60:97:a7:03:60
        media: Ethernet 10baseT
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::260:97ff:fea7:360%ep0 prefixlen 64 scopeid 0x2

One is going to sniff (ne3) and the other is going to my LAN (ep0) using for

ssh connection.

snort -T -c etc/snort.conf:

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snortdb
database:          host = localhost
database:   sensor name = 192.168.1.4
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
1700 Snort rules read...
1700 Option Chains linked into 192 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
database: Closing connection to database "snortdb"


If i choose var HOME_NET $ne3_ADDRESS
I have the following error: 

bash-2.05b# snort -T -c etc/snort.conf
Initializing Output Plugins!
Log directory = /var/log/snort

Initializing Network Interface ep0

        --== Initializing Snort ==--
Decoding Ethernet on interface ep0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (etc/snort.conf:35): ne3_ADDRESS
Fatal Error, Quitting..


In reality, snort is sniffing ma lan....why does it take ep0 and not ne3..??
thanks for your help.



--
Thierry 




-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users