[Snort-users] Configuration issue, Part II

DJDave Sobel dave at ...3559...
Mon Sep 24 05:02:02 EDT 2001


I think we're on to something with your last comment..

I think snort is only binding to the lowest interface, which would
explain why it's only seeing the traffic it is.

How do you specify which interface to use?

And of more importance to me, how do you specify binding to multiple
interfaces?  I'd like it to be watching traffic to all the internal
networks, not just one... (that way, I can see what ipchains missed..)


-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Monday, September 24, 2001 2:24 AM
To: DJDave Sobel
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue, Part II

On Sun, 23 Sep 2001, DJDave Sobel wrote:

> First off, thanks to everyone who's lended a hand -- I do appreciate
> Let me know where to send the coffee and/or beer...


> Now, to save bandwidth, I compiled my answers to everyone's questions
> into this one email. :) Thus, those not interested only need ignore
> message.
> First off, to answer Erik Adams (erek at ...577...):
> 	Tell me where to send your beer... Snort is located on my Linux
> router, so it's on a machine with 6 network interfaces.  Two are
> connected to the Internet, and four are to the internal networks.  I
> ipchains to block various unfriendly traffic, and control who can see

Ahhhh....  I think I see a possible problem!  Have a look at this:


Basically, snort sits 'behind' the ipchains and ipf programs.  They see
packets before snort does.  If you've got things setup to drop/deny
that you are expecting to see with snort, then you won't.

> who, but all traffic passes across this machine.  All the interfaces
> have been put into PROMISC mode (as I believed snort needed this).
> It's placement on this machine would make me think it can see
> that goes in and out of the network.

As well it should.

> 	It CAN see some traffic -- it does happily report on things it
> sees internally, such as samba communications and nameserver
> communications within the network.  Additionally, it does seem to
> occasional things from the outside.
> 	I performed this test, per your instructions:
> 		snort -dv host <webserver_IP>
> 	Snort displayed a great deal about communications going on
> within the network.   However, only things within the network for the
> time I watched.
> 	I then went to route-server.cerf.net and pinged the same
> webserver -- it did NOT report anything.

Odd.  Depending on your firewall rules, this might be expected.  Unless
are blocking packets, you should see the ping traffic in the snort


> Now, John Berkers (berjo at ...827...):
> 	Where do you want your coffee?  As for output plugins, you're
> right -- I didn't configure any.  However, even in this state, snort
> does log alerts to /var/log/snort/alert and
> .  I assumed this was the default configuration, and this works for my
> needs right now.  I thought I'd get it working before adding on a
> backend and such.

Good idea.  Getting ACID up and running is not hard task, it's just got
a lot
of dependencies.

> 	Is this not a true assumption?  If so, cool... if not, then why
> is it logging to these two files even without me saying so?

True sir!


I _really_ don't think it's your configs.  Your configs look quite sane
me--Oh wait, I'm not sane....  :)  Seriously, they look fine.  The only
that were amiss were corrected already.

Hold on...  You've got 2 external interfaces?  When you start snort
interface are you telling it to watch?  If you don't specify, it will
look at
the lowest numbered one.  If your traffic is coming in via the other
interface, then that would explain it.  (Yeah, I could have deleted all
and re-written, but I'm lazy. ;-)

Good luck!

Erek Adams

More information about the Snort-users mailing list