[Snort-users] stealth interface

Wirth, Jeff WirthJe at ...4876...
Tue Oct 1 14:02:21 EDT 2002


From: Dallas Jordan [mailto:DJordan at ...7041...]
 
> I am pretty new to snort, so forgive my ignorance.  I have 
> FreeBSD 4.5 and
> Snort 1.8.1.  I am trying to set Snort up to monitor an 
> interface with no IP


I would upgrade to 1.8.7...lots of fixes


> address.  But I cant seem to get it to log anything to the 
> /var/log/snort
> directory.  When I start Snort everything appears to be fine. 
>  I use the -v
> flag to see if it is "seeing" anything, and I can see lots of 

<snip>

> !$HOME_NET.  Don't know if that helps anyone.  I also have 
> another NIC with
> a IP address that I will use to access the snort box.  If I 
> set up snort to
> monitor this interface, it works as it should.  Everything 
> gets logged into


How is your first nic configured in rc.conf?  Does ifconfig report the nic
as up?


> directories according to IP addresses.  I also have a rule 
> that alerts to
> all TCP traffic, just to check if SnortSnarf is working 
> correctly with my
> alert file.  When Snort is monitoring the interface with no 
> IP no alerts are
> logged.  But they are logged, when monitoring the interface 
> with an IP.  I
> am sure it is something simple I'm missing, but I cant figure it out.
> Thanks for any help you can give.  
> 


sounds OS related to me.

- Jeff




More information about the Snort-users mailing list