[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Paul Schmehl pauls at ...6838...
Tue Jul 20 10:53:05 EDT 2004

--On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga 
<snort-list at ...12135...> wrote:
> If I look at the traffic on eth1:
> syslog:/usr/local/snort/bin #./snort -i eth1 -v
> Running in packet dump mode
> Log directory = /var/log/snort
> Initializing Network Interface eth1
> OpenPcap() device eth1 network lookup:
>        eth1: no IPv4 address assigned
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
>        --== Initialization Complete ==--
> -*> Snort! <*-
> Version 2.1.3 (Build 27)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 07/20-06:28:39.383108 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 07/20-06:28:39.383705 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
So snort *is* working.  You can see it with your own eyes.

> It is reading traffic on eth1.

And you acknowledge it as well.

> However, when I start nagios it will run,
> but it will not match anything.

What does nagios have to do with snort?

> I get not a single alert.

Not a single alert where?  You've been asked this before.  *Please* show us 
your snort.conf file - grep -v "#" /etc/snort/snort.conf (or whatever the 
correct path is.)  It's really hard to troubleshoot blind.

> However, when I
> assign eth1 a valid IP address on the 65.120.XX.XX network, it
> immediately starts matching. Within seconds my alert count starts
> climbing. (Note that when I say I am assigning it a valid IP address I
> also modify HOME_NET to reflect this)
So it's not the same setup as the one that's failing.  Show us your 
snort.conf file, *please*!  Show us the section of /var/log/messages that 
shows you bringing up snort.

You've already proven, to us and to yourself, that snort can see traffic on 
an interface with no IP assigned.  (BTW, I'd be leery of assigning 
to an interface.  x.x.x.0 is the designated address for a network and 
should not be used as a "live" address, just as x.x.x.255 is the broadcast 
address for a network.  I wouldn't trust it to work correctly, and it 
shouldn't be needed.  Your networking scripts should have something like:

ifconfig up
bootproto none
userctl no

And that should work fine.

Here's mine, for FreeBSD, and it works fine.

bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
ifconfig_xl0="promisc up"

bash-2.05b# ifconfig xl0
        inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
        ether 00:60:97:74:28:e7
        media: Ethernet autoselect (100baseTX)
        status: active

PROMISC is obsoleted in RedHat, so you don't need to use that, but up 
should work just fine.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list