[Snort-users] Snort will not detect anything on stealth interface unless I assign IP

Rhugga snort-list at ...12135...
Mon Jul 19 06:59:13 EDT 2004


Jason Haar wrote:

>On Sat, Jul 17, 2004 at 12:10:25PM -0700, Rhugga wrote:
>  
>
>>I have attached 1 interface of from ISD box a hub containing our border 
>>router and our 2 firewalls. I bring the interface up with no IP address 
>>and snort will not start due to $eth1_ADDRESS being null.
>>    
>>
>
>Well that's not right. I've run snort from RH7 to Fedora Core2 and it
>doesn't need an IP address.
>
>However, the interface has to be UP.
>
>Make sure your /etc/sysconfig/network-scripts/ifcfg-ethX looks like this:
>
>DEVICE=eth1
>ONBOOT=yes
>BOOTPROTO=static
>IPADDR=0.0.0.0
>NETMASK=0.0.0.0
>
>Change ethX appropriately.
>
>  
>
>>snort will start when eth1 has this dummy IP address but no rules are 
>>getting detected.
>>    
>>
>
>What does tcpdump on that interface show? If it can't see traffic, then
>neither can snort. Actually "snort -v -i ethX" should do the same.
>
>  
>
>>When I put a valid IP address on that interface in the same net as the 
>>router and firewalls, snort then starts matching rules...
>>    
>>
>
>Err... Now you're just getting freaky :-)
>
>  
>

Oh, part of the problem is that I usually rip out Red Hat's cludgy 
config system for my own init scripts and I don't use the sysconfig 
directory for most things. I also rarely trust any of Red Hat's rpms for 
core components such as mysql and openssl.

Is there any reason why this would not work:

ifconfig eth1 down
ifconfig eth1 0.0.0.0
ifconfig eth1 up

I tried this and snort would not start, complaining the HOME_NET was not 
defined. FYI: The explicit ifconfig eth1 up on line 3 is not needed 
according to the specs, the interface should be brought up automatically 
in step 2.

Rhugga








More information about the Snort-users mailing list