[Snort-users] promiscuous mode problem

Martin Roesch roesch at ...421...
Mon Mar 12 01:59:19 EST 2001


Check out your rules:

var HOME_NET 129.236.21.0/24
var EXTERNAL_NET !129.236.21.0/24

That means you can't be on the same subnet and testing the Snort rules,
it's ignoring attacks coming from your network.  Try 'var EXTERNAL_NET
any' and see how that works.

    -Marty

Lawrence Rosen wrote:
> 
>         I recently installed a snort-1.7-1.i386.rpm on my dual processer
> 
> DELL box running RedHat 6.2.  I'm missing some functionality.
> 
> Starting the snort daemon at boot time doesn't put the ethernet
> interface into promiscuous mode.  I issued the command 'ifconfig eth0
> promisc' to configure eth0 as shown below.  This doesn't seem correct
> based on my reading of the documentation.  libpcap-0.4-1.9 is the
> version installed.  Thanks in advance for an advice about the situation.
> 
> ==========================================================================
> 
> eth0      Link encap:Ethernet  HWaddr 00:B0:D0:3D:96:09
>           inet addr:129.236.21.85  Bcast:129.236.21.255
> Mask:255.255.255.0
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:2939 errors:0 dropped:0 overruns:1 frame:0
>           TX packets:851 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           Interrupt:16 Base address:0xdc80
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:3924  Metric:1
>           RX packets:893 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:893 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
> ==========================================================================
> 
> The command used during boot to start snort in its daemon mode is;
> 
> INTERFACE=eth0
> daemon /usr/sbin/snort -u snort -g snort -s -d -D -i $INTERFACE -l
> /var/log/snort -c /etc/snort/snort.conf
> ============================================================================
> 
>         Despite putting the ethernet card in promiscusous mode, snort
> reports SYN stealth and other nmap scans when they are directed at
> this particular machine but not at other machines on the subnet.
> 
>         Snort does however,report things of the following kind,
> 
> MISC Large UDP Packet: 129.236.110.79:0 -> 129.236.21.203:0
> 
>         which suggests it is able to match certain kinds of packets
> with its rule sets (UPDATED 02/21/2001) .
> 
>         The machine is located on an ethernet subnet.  The snort.conf
> file has the following entries;
> 
> var HOME_NET 129.236.21.0/24
> var EXTERNAL_NET !129.236.21.0/24
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var DNS_SERVERS [129.236.10.30/32,129.236.10.20/32,129.236.21.202/32]
> 
> preprocessor minfrag: 128
> preprocessor defrag
> preprocessor http_decode: 80 8080
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> include /etc/snort/local.rules
> include /etc/snort/exploit.rules
> include /etc/snort/scan.rules
> include /etc/snort/finger.rules
> include /etc/snort/ftp.rules
> include /etc/snort/telnet.rules
> include /etc/snort/smtp.rules
> include /etc/snort/rpc.rules
> include /etc/snort/rservices.rules
> include /etc/snort/backdoor.rules
> include /etc/snort/dos.rules
> include /etc/snort/ddos.rules
> include /etc/snort/dns.rules
> include /etc/snort/netbios.rules
> include /etc/snort/web-cgi.rules
> include /etc/snort/web-coldfusion.rules
> include /etc/snort/web-frontpage.rules
> include /etc/snort/web-misc.rules
> include /etc/snort/web-iis.rules
> include /etc/snort/icmp.rules
> include /etc/snort/misc.rules
> # include policy.rules
> # include info.rules
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list