[Snort-users] Linux Snort Stealth Interface Help Request

Mark Gannon markgannon at ...5364...
Thu Mar 21 13:14:32 EST 2002


Hello,

I'm having difficulty implementing a stealth inteface per Snort FAQs 3.1 and

3.2 on a Linux (SuSE 7.3 with kernel 2.4.14) system using a regular straight

through cable.   I start snort and no traffic is displayed to stdout even 
though another interface on the same segment shows traffic via tcpdump. 

Here is the command I'm issueing: 

akme:/home/markg # snort -dvi eth1
Log directory = 

        --== Initializing Snort ==--

Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup: 
        eth1: no IPv4 address assigned
Decoding Ethernet on interface eth1

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-RELEASE (Build 74)
By Martin Roesch (roesch at ...1935..., www.snort.org)

--------------------------------------------------------------------------------------------

After that no traffic is ever displayed.  I've also tried dumping to standard

out with tcpdump, but I never see any traffic.  After issueing the ifconfig

eth1 0.0.0.0 command, the ifconfig output looks like:

eth0      Link encap:Ethernet  HWaddr 00:10:5A:0C:70:FA  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27334 errors:0 dropped:0 overruns:0 carrier:0
          collisions:14 txqueuelen:100 
          RX bytes:18351898 (17.5 Mb)  TX bytes:3004806 (2.8 Mb)
          Interrupt:10 Base address:0xdc00 

eth1      Link encap:Ethernet  HWaddr 00:01:03:CC:CC:21  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:1330 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:79532 (77.6 Kb)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0xe800 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:201 errors:0 dropped:0 overruns:0 frame:0
          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:16743 (16.3 Kb)  TX bytes:16743 (16.3 Kb)

Even though the RX Bytes occasionally increments, no output is displayed.

Eth1 is connected to a Netgear Dual Speed Hub (DS 106) that has a link light

on for that connection.  I've tried different cables and different NICS.  
Right now the NIC on eth1 is 3c905c and eth0 is a 3c905b using the driver 
that comes with kernel version 2.4.14 as a module.  When I start Snort on 
eth0, all the traffic is dumped to standard out.

Thanks for your help.

Regards,

Mark Gannon
markgannon at ...5364...




More information about the Snort-users mailing list