[Snort-users] stealth mode and openbsd 3.3

Bert Beaudin bert at ...9280...
Fri May 23 13:47:03 EDT 2003


Currently attempting to run snort in stealth mode on openbsd 3.3. Snort
2.0.0 built from source. I have the interface sis0 up.


sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
        address: 00:09:5b:06:63:f8
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::209:5bff:fe06:63f8%sis0 prefixlen 64 scopeid 0x2

And Im running it from 

/usr/local/bin/snort -de -h 192.168.20.0/24 -i sis0 -c
/etc/snort/snort.conf

All on one line. 

When I run some attack scripts I get nothing logged to
/var/log/snort/alert.

But if I change -i sis0 to -i rl0 where rl0 is

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:30:84:3e:69:8d
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.20.13 netmask 0xffffff00 broadcast 192.168.20.255
        inet6 fe80::230:84ff:fe3e:698d%rl0 prefixlen 64 scopeid 0x1


and run the attack scripts I get hits in /var/log/snort/alert.

What am I doing wrong? Any help would be great. 
PS both interfaces are attacahed to the same hub.

Thanks,
-- 
Opensource software user
www.spininart.com
bert at ...9280...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030523/dd355e96/attachment.sig>


More information about the Snort-users mailing list