Snort mailing list archives
snort suddenly not capturing packets
From: Ben Jacobs-Swearingen <bjsdaiyu () gmail com>
Date: Wed, 8 Jan 2014 19:39:02 -0500
Hello: I recently restarted snort on an ArchLinux ARM (Raspberry Pi) sensor with new rules (and a slightly modified snort.conf) ; the post-reboot snort will launch without explicit errors but appears not to be listening to any interfaces on the sensor and I am unable to figure out why. Snort had been working correctly for months prior to this change. The sensor has two interfaces, eth0 and eth1; mirrored traffic (for snort to process) is being sent to eth0 (which is up and running though it does not have a configured IP address), while eth1 has a configured address on an admin segment. prior to changing the rules and rebooting snort, snort was listening to and correctly processing traffic on eth0. - "tcpdump -i eth0" works just fine, it sees all mirrored traffic - "snort -dev -l . -i eth0" makes it to the "listening" stage but appears to not pick up any of the traffic i generate across the interface; again, tcpdump sees this traffic just fine. "snort -dev ..." also does not work when I set it to listen on eth1 (tcpdump works there as well). - "snort -r <bad.pcap> -c .../snort.conf" with <bad.pcap> containing traffic I want flagged DOES work correctly: the traffic is processed according to the rules, alerts are correct and sent to the correct repository. I suspect my changes to snort.conf might have introduced a problem that I simply am not seeing so have attached the conf file for examination (but am confused in that case why "snort -r" is working since it's using the same conf file). Alternately, I have attached an strace in case something with the interface setup somehow got screwed up (as suggest by the fact that snort replay is working). I see in strace there are some errors with setsockopt(...) which might be more relevant to the capturing issue; any idea what might be causing those, assuming that those aren't par for the course? The only similar posts I could find on this topic discuss various issues with DAQ; I don't see how those might apply in my case since the installation was working for months prior to today. Thanks for any help.
Attachment:
snort_strace.txt
Description:
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly not capturing packets Ben Jacobs-Swearingen (Jan 09)
- Re: snort suddenly not capturing packets Carter Waxman (cwaxman) (Jan 09)
- Re: snort suddenly not capturing packets Ben Jacobs-Swearingen (Jan 14)
- Re: snort suddenly not capturing packets Carter Waxman (cwaxman) (Jan 09)