[Snort-users] Snort on Linux Help

David Wilkeson davelist at ...4123...
Mon Nov 26 08:44:01 EST 2001

At 08:16 AM 11/26/2001 -0800, you wrote:
>David Wilkeson wrote:
>>I'm running Redhat which was preinstalled on a new Dell server.  libpcap 
>>was installed, but when it didn't work I removed it and installed various 
>>versions myself.
>What "various versions"?
>The only version worth bothering with is at: http://www.tcpdump.org/
>and is libpcap-0.6.2.tar.gz

That's the first one I tried.  Then I tried 0.6.2-9.i386.rpm and 
0.4-29.i386.rpm.  I think I am back to 0.6.2.tar.gz, but I will recompile 
to be sure.  All from tcpdump.org

>>None of them work.
>What do you mean? They won't compile? They won't install?
>They compile and install, but then what?
>You *really* need to be more specific about what you've got, and what's 
>happening, for someone to be able to help you...

They all compile, they all install, none produce any errors.  ifconfig when 
snort is running does not report the interface in promiscuous mode, 
although I can put it in manually.  /var/log/messages reports the interface 
going in and out of promiscuous mode when snort or eithereal runs, or when 
I put it into promisc manually.  In no case does ethereal or snort see 
anything other than IP's it is directly talking to, or broadcast 
addresses.  And it's not a physical ethernet problem as a Windows snort box 
plugged into the same ethernet port works fine.

>>Do some net cards not support promiscuous mode even when the syslog 
>>reports them going into promiscuous mode?
>promiscuous mode isn't necessary for tcpdump/libpcap to "work" -- it just 
>lets you see more than you might otherwise..
>If "ifconfig -a" says the particular interface you're talking about is in 
>promiscuous mode, I'd be willing to be that it *is*..

/var/log/messages reports that the interface entered promiscuous mode, but 
ifconfig -a does not.  I can "ifconfig eth0 promisc" and then ifconfig -a 
says it's in promiscuous mode (messages also says it is), but nothing 
changes with the snort ourput.

>What's the output from "uname -a"?

[root at ...4157... /snort]# uname -a
Linux ids 2.4.3-6smp #1 SMP Wed May 16 04:29:16 EDT 2001 i686 unknown

>What's the output from "tcpdump -V" if that's working at all...?

tcpdump is not installed anymore.  I removed it per snort setup 
instructions posted on sans.org.


>- John
>>At 02:22 PM 11/21/2001 -0800, you wrote:
>>>OK, what flavor of Linux distribution are you running? Have you built
>>>your own kernel or are you using the \'stock\' one? RedHat, Mandrake and
>>>Slackware all seem to properly support libpcap right out of the box...
>>>In any case - until either tcpdump or ethereal work (both use libpcap)
>>>you won\'t get anywhere with snort...

More information about the Snort-users mailing list