Re: Snort Just Does Not Want To Work on Shadow Interrface

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga 
<snort-list () sandiego420 com> wrote:
> If I look at the traffic on eth1:
>
> syslog:/usr/local/snort/bin #./snort -i eth1 -v
> Running in packet dump mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth1
> OpenPcap() device eth1 network lookup:
>        eth1: no IPv4 address assigned
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
>
>        --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 2.1.3 (Build 27)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
> 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
So snort *is* working.  You can see it with your own eyes.

> It is reading traffic on eth1.

And you acknowledge it as well.

> However, when I start nagios it will run,
> but it will not match anything.

What does nagios have to do with snort?

> I get not a single alert.

Not a single alert where?  You've been asked this before.  *Please* show us 
your snort.conf file - grep -v "#" /etc/snort/snort.conf (or whatever the 
correct path is.)  It's really hard to troubleshoot blind.

> However, when I
> assign eth1 a valid IP address on the 65.120.XX.XX network, it
> immediately starts matching. Within seconds my alert count starts
> climbing. (Note that when I say I am assigning it a valid IP address I
> also modify HOME_NET to reflect this)
So it's not the same setup as the one that's failing.  Show us your 
snort.conf file, *please*!  Show us the section of /var/log/messages that 
shows you bringing up snort.

You've already proven, to us and to yourself, that snort can see traffic on 
an interface with no IP assigned.  (BTW, I'd be leery of assigning 0.0.0.0 
to an interface.  x.x.x.0 is the designated address for a network and 
should not be used as a "live" address, just as x.x.x.255 is the broadcast 
address for a network.  I wouldn't trust it to work correctly, and it 
shouldn't be needed.  Your networking scripts should have something like:

ifconfig up
bootproto none
userctl no

And that should work fine.

Here's mine, for FreeBSD, and it works fine.

bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
ifconfig_xl0="promisc up"

bash-2.05b# ifconfig xl0
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
       ether 00:60:97:74:28:e7
       media: Ethernet autoselect (100baseTX)
       status: active

PROMISC is obsoleted in RedHat, so you don't need to use that, but up 
should work just fine.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users