[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface
jberry at ...11848...
Tue Jul 20 07:26:06 EDT 2004
How is $HOME_NET configured when you do have an IP address assigned?
Also, which version of Snort are you using, you said 1.2, but I think
you are wrong as that would be an incredibly old version since we are up
to 2.2.0RC1 now.
With Redhat I always used something like this:
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rhugga
Sent: Tuesday, July 20, 2004 8:56 AM
To: Snort-User Mailing List
Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow
I will be as terse as possible here, because I have tried configs from
people that claim they should work but aren't. I have read the
documentatrion probably 5 times now, (well the documentation says
version 1.0, the link on the website says 1.1, but the version I am
using is 1.2)
Anyway. My system is vanilla RH 9 with all updates except I build my own
openssl library and also using mysql 4.x in /usr/local. ( I have
compeltely re-installed since I first started just to eliminate ANY
possible issues because some people claim snort 1.2 works as I desire on
IP address: 10.250.200.33
SysKonnect Copper GB NIC directly connected to a switch in our Black
Diamond. (Cat 6 cabling with no patch panels in between)
IP address: None
Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco
3600 router and 2 Netscreen Firewalls.
The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240
Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1
Note: I added this after I initially tried to get it working without
adding an IP. I saw this as a solution to some people's problems in the
mailing list archvie.
If I look at the traffic on eth1:
syslog:/usr/local/snort/bin #./snort -i eth1 -v
Running in packet dump mode
Log directory = /var/log/snort
Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
eth1: no IPv4 address assigned
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.1.3 (Build 27)
By Martin Roesch (roesch at ...1935..., www.snort.org)
07/20-06:28:39.383108 18.104.22.168 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
07/20-06:28:39.383705 22.214.171.124 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
It is reading traffic on eth1. However, when I start nagios it will run,
but it will not match anything. I get not a single alert. However, when
I assign eth1 a valid IP address on the 65.120.XX.XX network, it
immediately starts matching. Within seconds my alert count starts
climbing. (Note that when I say I am assigning it a valid IP address I
also modify HOME_NET to reflect this)
Here is how I define HOME_NET when I am trying to use snort _without_ an
var EXTERNAL_NET any
What am I doing wrong? According to the documentation and the responses
to my first emails, this config is correct.
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users