[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface
snort-list at ...12135...
Tue Jul 20 15:28:27 EDT 2004
Paul Schmehl wrote:
> --On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga
> <snort-list at ...12135...> wrote:
>> If I look at the traffic on eth1:
>> syslog:/usr/local/snort/bin #./snort -i eth1 -v
>> Running in packet dump mode
>> Log directory = /var/log/snort
>> Initializing Network Interface eth1
>> OpenPcap() device eth1 network lookup:
>> eth1: no IPv4 address assigned
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Decoding Ethernet on interface eth1
>> --== Initialization Complete ==--
>> -*> Snort! <*-
>> Version 2.1.3 (Build 27)
>> By Martin Roesch (roesch at ...1935..., www.snort.org)
>> 07/20-06:28:39.383108 22.214.171.124 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
>> 07/20-06:28:39.383705 126.96.36.199 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
> So snort *is* working. You can see it with your own eyes.
Yes, using Pat Harper's info I got to this point a few emails back. It
is reading packets on that network but it is not matching rules. (before
I did not have the 65.120.xx.xx network in HOME_NET) The second I give
it a valid IP address it starts matching rules. Believe, I am just as
perplexed as all.
>> It is reading traffic on eth1.
> And you acknowledge it as well.
>> However, when I start nagios it will run,
>> but it will not match anything.
> What does nagios have to do with snort?
Sorry, as I mentioned a few messages previous to this I am also building
a nagios system at the same time and towards the end of a 16-hour day my
wording was getting garbled in my brain somewhere. I am also recovering
a 1/2 TB oracle database at the same time with nasty data corruption.
Heh, fighting fires on top of fires and trying to build management
infrastructure on top of all that. =( (so that it can help me fight
fires,.... oh I have gone cross-eyed)
>> I get not a single alert.
> Not a single alert where? You've been asked this before. *Please*
> show us your snort.conf file - grep -v "#" /etc/snort/snort.conf (or
> whatever the correct path is.) It's really hard to troubleshoot blind.
As I mentioned before, my snort config is currently vanilla (as in the
provided sample) with the exception of HOME_NET and EXTERNAL_NET. Yes, I
know that is not a good config to run permanenetly. Once I get the core
system working, I will start adding in my rulesets and customizations.
>> However, when I
>> assign eth1 a valid IP address on the 65.120.XX.XX network, it
>> immediately starts matching. Within seconds my alert count starts
>> climbing. (Note that when I say I am assigning it a valid IP address I
>> also modify HOME_NET to reflect this)
> So it's not the same setup as the one that's failing. Show us your
> snort.conf file, *please*! Show us the section of /var/log/messages
> that shows you bringing up snort.
> You've already proven, to us and to yourself, that snort can see
> traffic on an interface with no IP assigned. (BTW, I'd be leery of
> assigning 0.0.0.0 to an interface. x.x.x.0 is the designated address
> for a network and should not be used as a "live" address, just as
> x.x.x.255 is the broadcast address for a network. I wouldn't trust it
> to work correctly, and it shouldn't be needed. Your networking
> scripts should have something like:
Yea, as I mentioned before the reason I tried this setting was because I
saw this as a solution to someone's problem in the mailing list archive.
All Balls (0.0.0.0) is the default route, always. That is exactly why I
would not run that setting permanently; I was merely using that setting
as a troubleshooting tool.
> ifconfig up
> bootproto none
> userctl no
> And that should work fine.
> Here's mine, for FreeBSD, and it works fine.
> bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
> ifconfig_xl0="promisc up"
> bash-2.05b# ifconfig xl0
> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
> ether 00:60:97:74:28:e7
> media: Ethernet autoselect (100baseTX)
> status: active
> PROMISC is obsoleted in RedHat, so you don't need to use that, but up
> should work just fine.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
More information about the Snort-users