[Snort-users] Snort on Linux Help

Erek Adams erek at ...577...
Mon Nov 26 08:45:05 EST 2001

On Mon, 26 Nov 2001, David Wilkeson wrote:

> Nope.  However, when I type "ifconfig eth0 promisc" it goes into
> promiscuous mode, but it doesn't change the output of ethereal or
> snort.  So to recap, the syslog indicates the interface entering and
> leaving promiscuous mode, but ifconfig does not report it in promiscuous
> mode unless I manually put it into promiscuous mode.

Fine.  It's not like an OS to ever 'be mistaken' about something...  ;-)

The big question is this:  Are you _sure_ you're on a device that you can see
all traffic on?  IOW, is that hub/switch _really_ a hub or not?


Also, is it physically attatched to the net so that it could see all packets?
Are you trying to hit it from the outside?  Or are you trying another machine?

> Redhat, loaded by Dell.

*sigh*  Ummmm....  Look, it's a UFO!

Ditch the RPM's.  Remove libpcap and snort RPMs if used.  Install the newest
versions of libpcap (0.6.2) and snort (1.8.2/3) from the sources.

Good luck!

Erek Adams

More information about the Snort-users mailing list