[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Rhugga snort-list at ...12135...
Tue Jul 20 07:44:03 EDT 2004


Joshua Berry wrote:

>How is $HOME_NET configured when you do have an IP address assigned?
>Also, which version of Snort are you using, you said 1.2, but I think
>you are wrong as that would be an incredibly old version since we are up
>to 2.2.0RC1 now.
>
>With Redhat I always used something like this:
>
>DEVICE=eth1
>ONBOOT=yes
>USRCTL=no
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rhugga
>Sent: Tuesday, July 20, 2004 8:56 AM
>To: Snort-User Mailing List
>Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow
>Interrface
>
>I will be as terse as possible here, because I have tried configs from 
>people that claim they should work but aren't. I have read the 
>documentatrion probably 5 times now, (well the documentation says 
>version 1.0, the link on the website says 1.1, but the version I am 
>using is 1.2)
>
>Anyway. My system is vanilla RH 9 with all updates except I build my own
>
>openssl library and also using mysql 4.x in /usr/local. ( I have 
>compeltely re-installed since I first started just to eliminate ANY 
>possible issues because some people claim snort 1.2 works as I desire on
>
>RH  9)
>
>eth0
>-------------------------------
>IP address: 10.250.200.33
>Netmask: 255.255.255.0
>SysKonnect Copper GB NIC directly connected to a switch in our Black 
>Diamond. (Cat 6 cabling with no patch panels in between)
>
>eth1
>--------------------------------
>IP address: None
>Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco
>
>3600 router and 2 Netscreen Firewalls.
>
>The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240
>
>Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1
>DEVICE=eth1
>BOOTPROTO=static
>ONBOOT=yes
>IPADDR=0.0.0.0
>NETMASK=0.0.0.0
>
>Note: I added this after I initially tried to get it working without 
>adding an IP. I saw this as a solution to some people's problems in the 
>mailing list archvie.
>
>If I look at the traffic on eth1:
>
>syslog:/usr/local/snort/bin #./snort -i eth1 -v
>Running in packet dump mode
>Log directory = /var/log/snort
>
>Initializing Network Interface eth1
>OpenPcap() device eth1 network lookup:
>       eth1: no IPv4 address assigned
>
>       --== Initializing Snort ==--
>Initializing Output Plugins!
>Decoding Ethernet on interface eth1
>
>       --== Initialization Complete ==--
>
>-*> Snort! <*-
>Version 2.1.3 (Build 27)
>By Martin Roesch (roesch at ...1935..., www.snort.org)
>07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
>IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>=+
>
>07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
>IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>=+
>
>It is reading traffic on eth1. However, when I start nagios it will run,
>
>but it will not match anything. I get not a single alert. However, when 
>I assign eth1 a valid IP address on the 65.120.XX.XX network, it 
>immediately starts matching. Within seconds my alert count starts 
>climbing. (Note that when I say I am assigning it a valid IP address I 
>also modify HOME_NET to reflect this)
>
>Here is how I define HOME_NET when I am trying to use snort _without_ an
>
>IP address:
>var HOME_NET 
>[10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250.
>204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28] 
>
>var EXTERNAL_NET any
>
>What am I doing wrong? According to the documentation and the responses 
>to my first emails, this config is correct.
>
>What gives??
>
>Thx,
>Rhugga
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>
Sorry my bad, I am also working with nagios at version 1.2, so I got 
mixed up in my email earlier. The tarball I am working with is 
snort-2.1.3.tar.

If I assign interface eth1 a valid IP address on the 65.120.XX.0/28 
netowrk, it works using the same HOME_NET you see above. If I use no IP 
address (ie: just bring the interface up manually and not having an 
/etc/sysconfig/network-scripts/ifcfg-eth1 file) it does not work. If I 
use the /etc/sysconfig/network-scripts/ifcfg-eth1 to assign it an IP 
address of 0.0.0.0 and netmask of 0.0.0.0, it does not work.

Thx,
Rhugga






More information about the Snort-users mailing list