[Snort-users] UPDATE eth1 without an IP = no worky

James Lay slave_tothe_box at ...131...
Thu Jun 26 05:51:04 EDT 2003


On Wed, 25 Jun 2003 14:26:01 -0500
"Jason Whitson" <jason at ...9559...> wrote:

> "What is your specific error?"
> - Unable to activate eth1. This is using the RH's network config screen.
> - I use ifconfig eth1 up and don't get any output, so I assume it's up
> 
> I can get snort to run on the command line with:  snort -b -A fast -c
> snort.conf
> with snort.conf having this line: var HOME_NET 172.16.0.0/32 (I am testing
> inside with a hub between 2 active switches)
> 
> It just shows a screen on the console with no more output after loading.
> Should the ACID console be showing data?
> 
> Also I have the snortd file to start snort upon boot but it never works.
> Even after changing eth0 to eth1. Ideas?
> 
> I've been working on this all day, maybe I need to step away ... but I am
> not getting anywhere.
> 
> 
> Jason Whitson
> VisionXtreme Computers
> www.visionxtreme.net
Jason,

Ok..wow...first off, if you're running snort in IDS mode, you'll want to add -D for daemon mode.  My rc.snort file has:
/usr/local/bin/snort -q -i eth1 -D -o -c /etc/snort/snort.conf

You won't see anything in the console...  If you're NOT running wanting to run in daemon mode then add the -v switch to see what's going on...I use that when using snort to sniff an active connection.

Second, in RedHat you'll need to muck with the SysV stuff, or add the above line or your own to rc.local to start on boot.

Third, make sure your snort.conf has the output database line uncommented.  I use both ACID and syslog for my setup here.  Hope this helps.

James







More information about the Snort-users mailing list