[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Joshua Berry jberry at ...11848...
Tue Jul 20 07:26:06 EDT 2004

How is $HOME_NET configured when you do have an IP address assigned?
Also, which version of Snort are you using, you said 1.2, but I think
you are wrong as that would be an incredibly old version since we are up
to 2.2.0RC1 now.

With Redhat I always used something like this:


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rhugga
Sent: Tuesday, July 20, 2004 8:56 AM
To: Snort-User Mailing List
Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow

I will be as terse as possible here, because I have tried configs from 
people that claim they should work but aren't. I have read the 
documentatrion probably 5 times now, (well the documentation says 
version 1.0, the link on the website says 1.1, but the version I am 
using is 1.2)

Anyway. My system is vanilla RH 9 with all updates except I build my own

openssl library and also using mysql 4.x in /usr/local. ( I have 
compeltely re-installed since I first started just to eliminate ANY 
possible issues because some people claim snort 1.2 works as I desire on

RH  9)

IP address:
SysKonnect Copper GB NIC directly connected to a switch in our Black 
Diamond. (Cat 6 cabling with no patch panels in between)

IP address: None
Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco

3600 router and 2 Netscreen Firewalls.

The network on the hub is 65.120.XX.XX with netmask of

Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1

Note: I added this after I initially tried to get it working without 
adding an IP. I saw this as a solution to some people's problems in the 
mailing list archvie.

If I look at the traffic on eth1:

syslog:/usr/local/snort/bin #./snort -i eth1 -v
Running in packet dump mode
Log directory = /var/log/snort

Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
       eth1: no IPv4 address assigned

       --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1

       --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.3 (Build 27)
By Martin Roesch (roesch at ...1935..., www.snort.org)
07/20-06:28:39.383108 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104

07/20-06:28:39.383705 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104

It is reading traffic on eth1. However, when I start nagios it will run,

but it will not match anything. I get not a single alert. However, when 
I assign eth1 a valid IP address on the 65.120.XX.XX network, it 
immediately starts matching. Within seconds my alert count starts 
climbing. (Note that when I say I am assigning it a valid IP address I 
also modify HOME_NET to reflect this)

Here is how I define HOME_NET when I am trying to use snort _without_ an

IP address:


What am I doing wrong? According to the documentation and the responses 
to my first emails, this config is correct.

What gives??


This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list