[Snort-users] Promiscuous monitoring
erek at ...577...
Tue Jul 2 11:10:01 EDT 2002
On 2 Jul 2002, Francis Yom wrote:
> Thank for the advice Dan, but it's not it. I have snort running on an
> old but reliable 10BaseT hub. It use to be able to work just fine under
> the older 1.73 version of snort.
Hrm... I'd hazard a guess that the system has been upgraded since the 1.73
version. You might be running into something that's driver releated...
> I did have problems getting the thing into promisc mode initially. I
> have a Intel E100B adapter in it. Using the e100.o module you can
> compile from Intel's source, I could not get it to go promisc. I
> switched over to the open source (David Hine's) eepro100 module, and I
> could get it to run in promisc as that point.
Try this test: Run snort and tcpdump at the same time. You _should_ see the
same packets. If not, it might be the version of pcap each is linked against.
> I do have some snorting. The stream4 preprocessor seems to work and I
> can detect port 21 stealth activity, but that is it.
try: var EXTERNAL_NET !$HOME_NET
See if that makes a difference.
> I have all the rules enabled and the box is a Pentium Pro 180 (400
> bogomips). I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM
> and xfs filesystem. System has run stable - no oops or crashes or any
> other weirdness.
> So what do you think?
I know a number of folks are running in a similar config to yours. I'd have
to guess that it would be something specific to your config, hardware or
More information about the Snort-users