[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Rhugga snort-list at ...12135...
Tue Jul 20 15:28:27 EDT 2004


Paul Schmehl wrote:

> --On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga 
> <snort-list at ...12135...> wrote:
>
>>
>> If I look at the traffic on eth1:
>>
>> syslog:/usr/local/snort/bin #./snort -i eth1 -v
>> Running in packet dump mode
>> Log directory = /var/log/snort
>>
>> Initializing Network Interface eth1
>> OpenPcap() device eth1 network lookup:
>>        eth1: no IPv4 address assigned
>>
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Decoding Ethernet on interface eth1
>>
>>        --== Initialization Complete ==--
>>
>> -*> Snort! <*-
>> Version 2.1.3 (Build 27)
>> By Martin Roesch (roesch at ...1935..., www.snort.org)
>> 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
>>
>>
>> 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
>>
>>
> So snort *is* working.  You can see it with your own eyes.
>

Yes,  using Pat Harper's info I got to this point a few emails back. It 
is reading packets on that network but it is not matching rules. (before 
I did not have the 65.120.xx.xx network in HOME_NET)  The second I give 
it a valid IP address it starts matching rules. Believe, I am just as 
perplexed as all.

>> It is reading traffic on eth1.
>
>
> And you acknowledge it as well.
>
>> However, when I start nagios it will run,
>> but it will not match anything.
>
>
> What does nagios have to do with snort?

Sorry, as I mentioned a few messages previous to this I am also building 
a nagios system at the same time and towards the end of a 16-hour day my 
wording was getting garbled in my brain somewhere. I am also recovering 
a 1/2 TB oracle database at the same time with nasty data corruption. 
Heh, fighting fires on top of fires and trying to build management 
infrastructure on top of all that. =(  (so that it can help me fight 
fires,.... oh I have gone cross-eyed)

>
>> I get not a single alert.
>
>
> Not a single alert where?  You've been asked this before.  *Please* 
> show us your snort.conf file - grep -v "#" /etc/snort/snort.conf (or 
> whatever the correct path is.)  It's really hard to troubleshoot blind.


As I mentioned before, my snort config is currently vanilla (as in the 
provided sample) with the exception of HOME_NET and EXTERNAL_NET. Yes, I 
know that is not a good config to run permanenetly. Once I get the core 
system working, I will start adding in my rulesets and customizations.

>
>> However, when I
>> assign eth1 a valid IP address on the 65.120.XX.XX network, it
>> immediately starts matching. Within seconds my alert count starts
>> climbing. (Note that when I say I am assigning it a valid IP address I
>> also modify HOME_NET to reflect this)
>>
> So it's not the same setup as the one that's failing.  Show us your 
> snort.conf file, *please*!  Show us the section of /var/log/messages 
> that shows you bringing up snort.
>
> You've already proven, to us and to yourself, that snort can see 
> traffic on an interface with no IP assigned.  (BTW, I'd be leery of 
> assigning 0.0.0.0 to an interface.  x.x.x.0 is the designated address 
> for a network and should not be used as a "live" address, just as 
> x.x.x.255 is the broadcast address for a network.  I wouldn't trust it 
> to work correctly, and it shouldn't be needed.  Your networking 
> scripts should have something like:
>
Yea, as I mentioned before the reason I tried this setting was because I 
saw this as a solution to someone's problem in the mailing list archive. 
All Balls (0.0.0.0) is the default route, always. That is exactly why I 
would not run that setting permanently; I was merely using that setting 
as a troubleshooting tool.

> ifconfig up
> bootproto none
> userctl no
>
> And that should work fine.
>
> Here's mine, for FreeBSD, and it works fine.
>
> bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
> ifconfig_xl0="promisc up"
>
> bash-2.05b# ifconfig xl0
> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
>        inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
>        ether 00:60:97:74:28:e7
>        media: Ethernet autoselect (100baseTX)
>        status: active
>
> PROMISC is obsoleted in RedHat, so you don't need to use that, but up 
> should work just fine.
>
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu






More information about the Snort-users mailing list