[Snort-users] Snort on Linux Help

David Wilkeson davelist at ...4123...
Tue Nov 27 09:31:04 EST 2001


Welp, I finally fixed it.  I set up eth1, flipped my cable over, set snort 
to use eth1, and boom, it started working.  My only guess is that eth0 does 
not support promiscuous mode.  I went back and forth a couple of times just 
to make sure I didn't do anything else differently, and it's definitely the 
Ethernet card.  For anyone else with the problem, it's a Dell PowerEdge 
2550 rackmount server.

Thanks for all your help!

Dave

At 04:20 PM 11/26/2001 -0600, you wrote:
>Well, if it were my machine, I'd first delete all rpm's pertaining to
>libpcap, then go into the /usr/local/lib and /usr/lib directories and
>delete anything that smelled of libpcap.
>
>Then, reinstall from source the 0.6.2 libpcap stuff.  Unfortunately, I
>don't know any other way to do it.
>
>
>Mike
>
>-----Original Message-----
>From: David Wilkeson [mailto:davelist at ...4123...]
>Sent: Monday, November 26, 2001 3:34 PM
>To: Michael Aylor
>Subject: RE: [Snort-users] Snort on Linux Help
>
>
>I did that, and they were both loaded (even though I previously thought
>I
>disabled them).  However, removing them did no good.
>
>The problem is definitely with libpcap.  I completely removed my libpcap
>
>RPMs and snort still started up and did the same thing as it did every
>other time.  How can you check what libpcap it is using?
>
>Dave
>
>At 10:47 AM 11/26/2001 -0600, you wrote:
> >Oh yeah, thought of something else.
> >
> >
> >When you run ntsysv, does ipchains or iptables show as startup daemons?
> >If so, uncheck them, reboot.
> >
> >
> >Mike
> >
> >-----Original Message-----
> >From: David Wilkeson [mailto:davelist at ...4123...]
> >Sent: Monday, November 26, 2001 10:15 AM
> >To: Chris Grout; snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Snort on Linux Help
> >
> >
> >At 03:39 PM 11/21/2001 -0800, you wrote:
> > >I'll ask the dumb questions...
> > >
> > >1.  With Snort or your Ethereal running, does 'ifconfig' really show
> > >that interface as being in promiscious mode?
> >
> >Nope.  However, when I type "ifconfig eth0 promisc" it goes into
> >promiscuous mode, but it doesn't change the output of ethereal or
> >snort.  So to recap, the syslog indicates the interface entering and
> >leaving promiscuous mode, but ifconfig does not report it in
>promiscuous
> >
> >mode unless I manually put it into promiscuous mode.
> >
> > >2.  You are running this as root or with root priveledges right?  I'd
> > >expect it to complain loudly if you weren't but figured I'd ask
> >anyways.
> > >You do need root privs to put the NIC in to promisc mode and it
>sounds
> > >like syslog is reporting it as working. (but these are thee dumb
> > >questions)
> >
> >Yes I am.
> >
> > >3.  What brand of Linux?  RedHat? Debian? Suse?
> >
> >Redhat, loaded by Dell.
> >
> > >4.  With it running, do a 'netstat -i' (obsfucate your IP just to be
> > >safe), and send me the output.  I think '-i' works in linux...
> >
> >Are you sure that's the one you want?  It really doesn't show much of
> >anything other than counters.
> >
> >Dave
> >
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list