[Snort-users] Problems with eth1?

Ryan Hill rhill at ...2446...
Fri Oct 26 10:11:07 EDT 2001


Jason,

This is all broadcast based traffic - is your outside monitor on a switch?
If so, has the switch configuration changed recently?  If you're on a
switch, you need to be mirroring traffic from the appropriate ports in order
for your card to see it.

Regards,

Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB


> -----Original Message-----
> From: Jason Smith [mailto:jsmith at ...2528...] 
> Sent: Friday, October 26, 2001 8:35 AM
> To: Snort Mailing List (E-mail)
> Subject: [Snort-users] Problems with eth1?
> 
> 
> Hello all,
> 
> Here's the problem.  I have a Linux box running Redhat 7.1 w/ 
> 2.4.6.  It has two nics both Intel eepro100's.  They are both 
> monitoring different segements of the network.  One is on the 
> inside of the firewall and one is on the outside.  The 
> problem interface is the outside one.  I am getting no alerts 
> haven't for the last week or so.  I do have some simple rules 
> that should be tripped every now and then but I'm not even 
> getting those.  The internal interface does log those rules 
> so I know the traffic is there.  The output below is from 
> running snort -dev -i eth1.  If I do this but on eth0 traffic 
> just flies by.  I'm thinking there is something wrong with 
> the network card.  Hopefully the output below helps.  I have 
> also checked the dmesg log, configured syslog to log all 
> kernel messages to /var/log/kernel. And neither of these have 
> logged anything suspicious.  
> 
> Any help is greatly appreciated.  Also if you have any other 
> questions let me know.
> 
> Thanks
> Jason Smith
> 
> 
> 
> <snip>




More information about the Snort-users mailing list