[Snort-users] Promiscuous monitoring

Francis Yom fyom at ...2367...
Tue Jul 2 07:36:47 EDT 2002


Thank for the advice Dan, but it's not it.  I have snort running on an
old but reliable 10BaseT hub.  It use to be able to work just fine under
the older 1.73 version of snort.  

I did have problems getting the thing into promisc mode initially.  I
have a Intel E100B adapter in it.  Using the e100.o module you can
compile from Intel's source, I could not get it to go promisc.  I
switched over to the open source (David Hine's) eepro100 module, and I
could get it to run in promisc as that point.

I do have some snorting.  The stream4 preprocessor seems to work and I
can detect port 21 stealth activity, but that is it.

I have all the rules enabled and the box is a Pentium Pro 180 (400
bogomips).  I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM
and xfs filesystem.  System has run stable  - no oops or crashes or any
other weirdness.

So what do you think?

-f

PS.  Any snorters here from NYC?  I'm going to be in town for 4th of
July. :-)

On Tue, 2002-07-02 at 10:05, Dan Fiorito wrote:
> If it is an Auto Sense hub it will act as a switch between speeds.  Make sure all devices are running at the same speed.
>  
> Dan
> 
> 	-----Original Message----- 
> 	From: Francis Yom [mailto:fyom at ...2367...] 
> 	Sent: Tue 7/2/2002 9:22 AM 
> 	To: Jason Gauthier 
> 	Cc: 'Eric Ferguson'; snort-users at lists.sourceforge.net 
> 	Subject: RE: [Snort-users] Promiscuous monitoring
> 	
> 	
> 
> 	I have the exact same problem.  I hope someone can pass a clue as to
> 	what might be causing this.
> 	
> 	-francis
> 	
> 	On Tue, 2002-07-02 at 08:02, Jason Gauthier wrote:
> 	> My first thought is that the EXTERNAL_NET variable isn't set right.
> 	> Is that assigned as "any"?
> 	> 
> 	> 
> 	>
> 	> -----Original Message-----
> 	> From: Eric Ferguson [mailto:eric.ferguson at ...6215...]
> 	> Sent: Tuesday, July 02, 2002 7:06 AM
> 	> To: snort-users at lists.sourceforge.net
> 	> Subject: [Snort-users] Promiscuous monitoring
> 	>
> 	>
> 	>
> 	> I have Snort 1.8.6 running on Red Hat 7.3 with ACID and MySQL.  I start
> 	> Snort with the -v option to verify that Snort is seeing traffic and all
> 	> seems well.  My only problem is that attacks (ones I generate myself) are
> 	> only logged if directed at the Snort IP address.  If I direct an attack to
> 	> another machine on the same subnet, Snort does not identify the attack (yes
> 	> I am running a hub and not a switch...:-)).  Sounds like something simple to
> 	> me, I am just not sure what it is.
> 	>
> 	> 
> 	>
> 	> Thanks,
> 	>
> 	> 
> 	>
> 	> Eric Ferguson - NNCSE
> 	>
> 	> 4440 Embassy Drive
> 	>
> 	> Sykesville, Md. 21784
> 	>
> 	> phone: 410-876-0585
> 	>
> 	> cell: 443-677-6119
> 	>
> 	> email: eric.ferguson at ...6215...
> 	>
> 	> 
> 	>
> 	
> 	
> 	
> 	
> 	-------------------------------------------------------
> 	This sf.net email is sponsored by:ThinkGeek
> 	Welcome to geek heaven.
> 	http://thinkgeek.com/sf
> 	_______________________________________________
> 	Snort-users mailing list
> 	Snort-users at lists.sourceforge.net
> 	Go to this URL to change user options or unsubscribe:
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> 	Snort-users list archive:
> 	http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 	
> 






More information about the Snort-users mailing list