[Snort-users] Snort will not detect anything on stealth interface unless I assign IP

Rhugga snort-list at ...12135...
Sat Jul 17 12:11:07 EDT 2004


I have attached 1 interface of from ISD box a hub containing our border 
router and our 2 firewalls. I bring the interface up with no IP address 
and snort will not start due to $eth1_ADDRESS being null.

If I assign a dummy IP address to the interface:

ifconfig eth1 down
ifconfig eth1 192.168.199.199
ifconfig eth1 up

I can see that the interace is receiving packets (based on ifconfig -a)
          RX packets:33790 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2231965 (2.1 Mb)  TX bytes:0 (0.0 b)
          Interrupt:21 Base address:0x3400 Memory:f5104000-f5104038

snort will start when eth1 has this dummy IP address but no rules are 
getting detected.

When I put a valid IP address on that interface in the same net as the 
router and firewalls, snort then starts matching rules...

How do you use a shadow interface with no IP address with snort? I am 
running RH 9.

Thx,
rhugga





More information about the Snort-users mailing list