[Snort-users] Some reasonably dumb questions!

Peter Bates peter.bates at ...79...
Fri Jan 19 15:46:12 EST 2001

Hello all...

I'm about to try and push snort-1.7
into a semi-production environment
snorting from a spanned/duplicated switch port...

I'm running snort-1.7 from an RPM on
a box with a reasonably bare RedHat 6.2
(i.e. everything else is stripped off it
except syslog, cron and snort itself... oh, and the kernel)

I've tried running with the stock RH 2.2.16 kernel,
and newest 2.4.0...

I have looked at the FAQ:
Q:  I've got RedHat and ....

A:  Check your version of libpcap.  :) If it's not <= 0.5, then you should

so I have libpcap-0.4-19, so that should be OK,
unless the < is the wrong way round in the FAQ?

I have two interfaces in the box, two Intel Etherpro's,
which would disappear (or at least complain) under 2.2.x,
hence moving to 2.4.0...

The crux of my problem is...

One interface has an 'internal' address for management (eth0)
and the other interface is meant to the 'snorting' port.

I have done:

/sbin/ifconfig eth1 up

and then run snort (started out of init.d scripts) like so:
         /usr/sbin/snort -u snort -g snort -s -d -D \
         -i eth1 -N -c /etc/snort-local/snort.conf

on my test boxes, which are just running a mix of
snortfull.conf and vision rules, I see responses
to the likes of nmap pings, etc. but naturally, in
our switched environment, only traffic to those boxes...

So, re-enter the above machine, intended to snort on the
unconfigured (well, no ip-address) interface eth1...

To test at the moment, I have a few machines on a multi-port
hub, and have plugged the eth1 from the snort box into the same hub.

Trying things like ftp to one of the machines on the hub and
trying 'user: warez' or provoking a '503 User unknown' produce
no alerts at all... nothing.

Tcpdump -i eth1 port 21 ... no traffic seen.

I've read various emails (going back over several months and
versions of snort!) about people having trouble here,
so can anyone suggest anything before I go mad?

I'm using RPMs because it is easier to knock up
a quick box with a few packages on it, but should
I be using libpcap 0.6.x? Is it kernel-related?

The final note... if I run snort similarly on eth0, all is happy,
but again, due to switching, it only sees traffic destined for
the actual interface...

Is it some weird problem, or am I just incompetent? 8)

Output from ifconfig -a :

eth0      Link encap:Ethernet  HWaddr 00:90:27:9F:E6:CF
           inet addr:x.x.x.x  Bcast:x.x.x.255  Mask:
           RX packets:108785 errors:0 dropped:0 overruns:0 frame:0
           TX packets:285 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100

eth1      Link encap:Ethernet  HWaddr 00:02:B3:11:EF:82
           RX packets:111684 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           Interrupt:9 Base address:0x2000

lo        Link encap:Local Loopback
           inet addr:  Mask:
           UP LOOPBACK RUNNING  MTU:3904  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0

... and yes, the RX count on eth1 is increasing.

Even with just 1 rule, e.g.

alert TCP any any -> any 21 (msg: "Wow! I saw something";)

it still doesn't see anything...

I'd be grateful for any pointers!

Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362

More information about the Snort-users mailing list