[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Rhugga snort-list at ...12135...
Tue Jul 20 07:44:03 EDT 2004

Joshua Berry wrote:

>How is $HOME_NET configured when you do have an IP address assigned?
>Also, which version of Snort are you using, you said 1.2, but I think
>you are wrong as that would be an incredibly old version since we are up
>to 2.2.0RC1 now.
>With Redhat I always used something like this:
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rhugga
>Sent: Tuesday, July 20, 2004 8:56 AM
>To: Snort-User Mailing List
>Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow
>I will be as terse as possible here, because I have tried configs from 
>people that claim they should work but aren't. I have read the 
>documentatrion probably 5 times now, (well the documentation says 
>version 1.0, the link on the website says 1.1, but the version I am 
>using is 1.2)
>Anyway. My system is vanilla RH 9 with all updates except I build my own
>openssl library and also using mysql 4.x in /usr/local. ( I have 
>compeltely re-installed since I first started just to eliminate ANY 
>possible issues because some people claim snort 1.2 works as I desire on
>RH  9)
>IP address:
>SysKonnect Copper GB NIC directly connected to a switch in our Black 
>Diamond. (Cat 6 cabling with no patch panels in between)
>IP address: None
>Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco
>3600 router and 2 Netscreen Firewalls.
>The network on the hub is 65.120.XX.XX with netmask of
>Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1
>Note: I added this after I initially tried to get it working without 
>adding an IP. I saw this as a solution to some people's problems in the 
>mailing list archvie.
>If I look at the traffic on eth1:
>syslog:/usr/local/snort/bin #./snort -i eth1 -v
>Running in packet dump mode
>Log directory = /var/log/snort
>Initializing Network Interface eth1
>OpenPcap() device eth1 network lookup:
>       eth1: no IPv4 address assigned
>       --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth1
>       --== Initialization Complete ==--
>-*> Snort! <*-
>Version 2.1.3 (Build 27)
>By Martin Roesch (roesch at ...1935..., www.snort.org)
>07/20-06:28:39.383108 -> 65.120.XX.XX
>IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
>07/20-06:28:39.383705 -> 65.120.XX.XX
>IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
>It is reading traffic on eth1. However, when I start nagios it will run,
>but it will not match anything. I get not a single alert. However, when 
>I assign eth1 a valid IP address on the 65.120.XX.XX network, it 
>immediately starts matching. Within seconds my alert count starts 
>climbing. (Note that when I say I am assigning it a valid IP address I 
>also modify HOME_NET to reflect this)
>Here is how I define HOME_NET when I am trying to use snort _without_ an
>IP address:
>var HOME_NET 
>What am I doing wrong? According to the documentation and the responses 
>to my first emails, this config is correct.
>What gives??
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Sorry my bad, I am also working with nagios at version 1.2, so I got 
mixed up in my email earlier. The tarball I am working with is 

If I assign interface eth1 a valid IP address on the 65.120.XX.0/28 
netowrk, it works using the same HOME_NET you see above. If I use no IP 
address (ie: just bring the interface up manually and not having an 
/etc/sysconfig/network-scripts/ifcfg-eth1 file) it does not work. If I 
use the /etc/sysconfig/network-scripts/ifcfg-eth1 to assign it an IP 
address of and netmask of, it does not work.


More information about the Snort-users mailing list