[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface
pauls at ...6838...
Tue Jul 20 10:53:05 EDT 2004
--On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga
<snort-list at ...12135...> wrote:
> If I look at the traffic on eth1:
> syslog:/usr/local/snort/bin #./snort -i eth1 -v
> Running in packet dump mode
> Log directory = /var/log/snort
> Initializing Network Interface eth1
> OpenPcap() device eth1 network lookup:
> eth1: no IPv4 address assigned
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
> --== Initialization Complete ==--
> -*> Snort! <*-
> Version 2.1.3 (Build 27)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 07/20-06:28:39.383108 188.8.131.52 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
> 07/20-06:28:39.383705 184.108.40.206 -> 65.120.XX.XX
> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
So snort *is* working. You can see it with your own eyes.
> It is reading traffic on eth1.
And you acknowledge it as well.
> However, when I start nagios it will run,
> but it will not match anything.
What does nagios have to do with snort?
> I get not a single alert.
Not a single alert where? You've been asked this before. *Please* show us
your snort.conf file - grep -v "#" /etc/snort/snort.conf (or whatever the
correct path is.) It's really hard to troubleshoot blind.
> However, when I
> assign eth1 a valid IP address on the 65.120.XX.XX network, it
> immediately starts matching. Within seconds my alert count starts
> climbing. (Note that when I say I am assigning it a valid IP address I
> also modify HOME_NET to reflect this)
So it's not the same setup as the one that's failing. Show us your
snort.conf file, *please*! Show us the section of /var/log/messages that
shows you bringing up snort.
You've already proven, to us and to yourself, that snort can see traffic on
an interface with no IP assigned. (BTW, I'd be leery of assigning 0.0.0.0
to an interface. x.x.x.0 is the designated address for a network and
should not be used as a "live" address, just as x.x.x.255 is the broadcast
address for a network. I wouldn't trust it to work correctly, and it
shouldn't be needed. Your networking scripts should have something like:
And that should work fine.
Here's mine, for FreeBSD, and it works fine.
bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
bash-2.05b# ifconfig xl0
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (100baseTX)
PROMISC is obsoleted in RedHat, so you don't need to use that, but up
should work just fine.
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users