[Snort-users] Snort on Linux Help

Erek Adams erek at ...577...
Mon Nov 26 08:45:05 EST 2001


On Mon, 26 Nov 2001, David Wilkeson wrote:

> Nope.  However, when I type "ifconfig eth0 promisc" it goes into
> promiscuous mode, but it doesn't change the output of ethereal or
> snort.  So to recap, the syslog indicates the interface entering and
> leaving promiscuous mode, but ifconfig does not report it in promiscuous
> mode unless I manually put it into promiscuous mode.

Fine.  It's not like an OS to ever 'be mistaken' about something...  ;-)

The big question is this:  Are you _sure_ you're on a device that you can see
all traffic on?  IOW, is that hub/switch _really_ a hub or not?

http://www.snort.org/docs/faq.html#6.21

Also, is it physically attatched to the net so that it could see all packets?
Are you trying to hit it from the outside?  Or are you trying another machine?

> Redhat, loaded by Dell.

*sigh*  Ummmm....  Look, it's a UFO!

Ditch the RPM's.  Remove libpcap and snort RPMs if used.  Install the newest
versions of libpcap (0.6.2) and snort (1.8.2/3) from the sources.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list