Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not listening on interface

From: Paul Greene <pauljgreene () comcast net>
Date: Sun, 09 Apr 2006 23:22:00 -0400
I sent in this message earlier that doesn't seem to have appeared on the list yet, but I think I found the problem anyway. (maybe I sent the original to the admin address by mistake)
When I checked the running processes, the startup command was listed and it was listening on eth0. I wanted it to listen on eth1, so I modified the startup script in /etc/init.d/snort to point to eth1, restarted the service, waited a couple of hours and the alerts started coming in. So, all is well (apparently).
If this will help someone with a similar problem, maybe it's worth the resend. 

Paul Greene wrote:
I recently installed Snort using the "Snort Enterprise Install" instructions by Patrick Harper. During the install I had one NIC card installed, and this was assigned an IP address on my internal network. I ran a few nmap scans against the Snort sensor to make sure it was capturing alerts and all seemed well.
I added a second NIC after everything was working fine, and did not assign it an IP address. I connected a hub to the CAT5 cable coming from my cable modem, plugged the firewall into the hub, and plugged this new 2nd NIC card from the Snort sensor into the hub.
Traffic in and out of the network is flowing fine through the firewall, but the Snort sensor isn't capturing any alerts through this new 2nd interface. After being plugged into the wide open internet for about 18 hours now, I can't believe the box has not been scanned by some script kiddie yet. I also went out to the Gibson Research website and ran the port scan back against my firewall, which I thought should generate some alerts, but, again, nothing came up.
Running an ifconfig command on this 2nd NIC looked like the card was not in promiscuous mode, so I ran a "ifconfig eth1 promisc" command, and then the promisc option was now showing on the card.
The OS is Centos 4.2, Snort 2.4.3. The only rule set I disabled was SNMP (because my internal wireless router was generating a bunch of false positives). 

Any suggestions?

Paul Greene





-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: