[Snort-users] Problems with eth1?

Ryan Hill rhill at ...2446...
Fri Oct 26 10:11:07 EDT 2001


This is all broadcast based traffic - is your outside monitor on a switch?
If so, has the switch configuration changed recently?  If you're on a
switch, you need to be mirroring traffic from the appropriate ports in order
for your card to see it.


Ryan Hill, MCSE 
IT Ninja
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB

> -----Original Message-----
> From: Jason Smith [mailto:jsmith at ...2528...] 
> Sent: Friday, October 26, 2001 8:35 AM
> To: Snort Mailing List (E-mail)
> Subject: [Snort-users] Problems with eth1?
> Hello all,
> Here's the problem.  I have a Linux box running Redhat 7.1 w/ 
> 2.4.6.  It has two nics both Intel eepro100's.  They are both 
> monitoring different segements of the network.  One is on the 
> inside of the firewall and one is on the outside.  The 
> problem interface is the outside one.  I am getting no alerts 
> haven't for the last week or so.  I do have some simple rules 
> that should be tripped every now and then but I'm not even 
> getting those.  The internal interface does log those rules 
> so I know the traffic is there.  The output below is from 
> running snort -dev -i eth1.  If I do this but on eth0 traffic 
> just flies by.  I'm thinking there is something wrong with 
> the network card.  Hopefully the output below helps.  I have 
> also checked the dmesg log, configured syslog to log all 
> kernel messages to /var/log/kernel. And neither of these have 
> logged anything suspicious.  
> Any help is greatly appreciated.  Also if you have any other 
> questions let me know.
> Thanks
> Jason Smith
> <snip>

More information about the Snort-users mailing list