[Snort-users] Snort on Linux Help

Michael Aylor maylor at ...1991...
Wed Nov 21 14:46:04 EST 2001


Okay, shooting in the dark here.  From what you're saying, it does sound
like the switch is monitoring properly.  The fact that ethereal also
shows only broadcast type traffic (I assume you compiled Ethereal on the
same linux box as snort?) suggests its OS related in some way (not that
you haven't come to the same conclusion, I just like stating the obvious
;)).

Does the NIC have an IP bound to it?  Is the interface active/up?  Have
you tried taking out the IP Address from the NIC and re-up'ing it?  It
almost sounds like its actively ignoring traffic not destined to its IP
network (as if it weren't truly in promiscous mode).  I assume this
Linux box has no trouble talking to other devices on your network?

Does your /var/log/messages file show anything wierd coming from the
kernel with regards to network type stuff?

Does your linux box have multiple NIC ports, and are you plugged into
the correct one?  Assuming your Linux box has an IP bound to it, can
ethereal see the linux box when it pings out (to something other than a
broadcast address)?

On the switch, is it showing any frame-align/runt errors on that port?
Could this be a mismatched duplex setting on the switch?  I once had a
terrible time configuring Cisco ports to see the correct speed/duplex on
my RH boxes.

You mentioned installing libpcap from RPM.  did you try installing snort
from RPM also?  When running snort, are you doing any funky command line
switches?  For example, are you setting it to do "-p", cuz if so, this
could mess stuff up...

Well, hope this helps.  I'm gone for the day.

-----Original Message-----
From: David Wilkeson [mailto:davelist at ...4123...]
Sent: Wednesday, November 21, 2001 3:58 PM
To: Michael Aylor
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort on Linux Help


I agree. I just installed Ethereal and it sees exactly the same thing as

Snort does, so it isn't Snort.

I have plugged my Windows machine running Snort into the exact port that

the Linux box is plugged into and it sees everything, so it definitely
has 
something to do with the Linux box.  I haven't had any errors compiling 
various versions of libpcap, nor installing the RPMs.  Additionally the 
syslog indicates that the interface is going in and out of promiscuous
mode 
when I start and stop Snort.

Dave

At 03:44 PM 11/21/2001 -0600, you wrote:
>The fact that you're only seeing broadcast traffic would lend itself to
>suggest you are not actually monitoring that port like you think you
>are.  Have you run tcpdump to verify you're seeing all traffic you're
>supposed to, or are you only seeing broadcasts as well?
>
>I would imagine that if libpcap had a problem, it would either not
>compile or would generate bizarre errors when snort was compiled....
>
>
>
>-----Original Message-----
>From: David Wilkeson [mailto:davelist at ...4123...]
>Sent: Wednesday, November 21, 2001 2:14 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Snort on Linux Help
>
>
>I've been running Snort on a Windows platform on and off for some time
>so I
>am fairly well versed in Snort itself.  I recently decided to set up a
>permanent Snort box, and decided that Linux would be better suited for
>this
>application.  Well, I've got everything set up and running and I am
>testing
>by having Snort log everything, but I can't get Snort to see anything
>with
>a destination address other than an Ethernet broadcast address (.255),
>the
>box itself, or any machine that is connecting directly to the linux
>box.  It's not a physical Ethernet problem as it works fine when I plug
>my
>Windows Snort box into that jack on my switch (I have monitoring mode
>turned on for that switch port).  I think it must be a problem with
>libpcap, but I have uninstalled and reinstalled various versions and
>packages including RPMs and source code.  I've made sure that IPCHAINS
>is
>disabled.  I am completely out of ideas and my head hurts from beating
>it
>repeatedly against the wall.  Anyone else have any thoughts?
>
>TIA!
>Dave
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3457 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011121/b32d60e8/attachment.bin>


More information about the Snort-users mailing list