Snort mailing list archives

Re: snort daemon to listen to eth2 and eth3 in promiscuous mode

From: Kaushal Shriyan <kaushalshriyan () gmail com>
Date: Thu, 21 Feb 2013 16:12:36 +0530

Hi Ayodele

I have the below settings in my snort.conf -> http://fpaste.org/F8ZO/

cat /tmp/interfaces
bond0     Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          inet addr:192.168.73.67  Bcast:192.168.73.255  Mask:255.255.255.0
          inet6 addr: fe80::e2db:55ff:fe05:d00c/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:1902153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:232394243 (221.6 MiB)  TX bytes:93066331 (88.7 MiB)

eth0      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:1101579 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:169722435 (161.8 MiB)  TX bytes:93066331 (88.7 MiB)
          Interrupt:194 Memory:d91a0000-d91b0000

eth1      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:800574 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:62671808 (59.7 MiB)  TX bytes:0 (0.0 b)
          Interrupt:202 Memory:d91d0000-d91e0000

eth2      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0E
          inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
          Interrupt:210 Memory:d90a0000-d90b0000

eth3      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0F
          inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
          Interrupt:218 Memory:d90d0000-d90e0000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:104 errors:0 dropped:0 overruns:0 frame:0
          TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5200 (5.0 KiB)  TX bytes:5200 (5.0 KiB)

#ps aux | grep snort
snort    21011  0.0  0.2 416992 71812 ?        Ssl  16:05   0:00
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort
root     21031  0.0  0.0  61172   748 pts/0    S+   16:09   0:00 grep snort
I tried running /usr/sbin/snort -c /etc/snort/snort.conf -u snort -g snort
--daq afpacket -i eth2:eth3 -Q but i dont see any traffic  in
/valog/snort/alert file

Please let me know if i am missing anything and if you any need any
additional certifcate. Also the Datacenter folks have told us the port
mirroring is done on the L3 switch running in L2 mode.

Regards,

Kaushal




On Tue, Feb 19, 2013 at 11:25 PM, Kaushal Shriyan
<kaushalshriyan () gmail com>wrote:



On Tue, Feb 19, 2013 at 8:12 PM, Ayodele Okeowo <aymacro () gmail com> wrote:

Nice! I will assume you are using the bond0 interface as your management
interface and it's described in your snort config file.

You shouldn't have any problem you just have to change the format of the
command line to the one I pasted earlier.

Ayo

Thanks a Lot Ayodele. Will update you as i progress and seek help here if
i get into issues.
Thanks everyone for the kind support. Much Appreciated.

Regards,

Kaushal

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
- Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ray Caparros (Feb 19)
  - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 19)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Kaushal Shriyan (Feb 21)
    - Re: snort daemon to listen to eth2 and eth3 in promiscuous mode Ayodele Okeowo (Feb 21)