[Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

Patrick S. Harper patrick at ...4250...
Tue Jul 20 16:19:15 EDT 2004

If it is seeing traffic with and without an ip, but only matching against
rules with an IP you must be doing something different.  Are you starting it
with the same switches?  Slap a rule in your snort.conf to trigger an alert
for any TCP packet it sees and start it up.  Maybe (would be weird) it is
just not seeing that matches the rules when you remove the IP 

Patrick S. Harper | CISSP RHCT MCSE

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and light the
damn thing yourself!"
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rhugga
Sent: Tuesday, July 20, 2004 5:18 PM
To: Paul Schmehl
Cc: Snort-User Mailing List
Subject: Re: [Snort-users] Snort Just Does Not Want To Work on Shadow

Paul Schmehl wrote:

> --On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga 
> <snort-list at ...12135...> wrote:
>> If I look at the traffic on eth1:
>> syslog:/usr/local/snort/bin #./snort -i eth1 -v Running in packet 
>> dump mode Log directory = /var/log/snort
>> Initializing Network Interface eth1
>> OpenPcap() device eth1 network lookup:
>>        eth1: no IPv4 address assigned
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Decoding Ethernet on interface eth1
>>        --== Initialization Complete ==--
>> -*> Snort! <*-
>> Version 2.1.3 (Build 27)
>> By Martin Roesch (roesch at ...1935..., www.snort.org)
>> 07/20-06:28:39.383108 -> 65.120.XX.XX IPV6-CRYPT 
>> TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104 
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>> +=+=+
>> 07/20-06:28:39.383705 -> 65.120.XX.XX IPV6-CRYPT 
>> TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104 
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>> +=+=+
> So snort *is* working.  You can see it with your own eyes.

Yes,  using Pat Harper's info I got to this point a few emails back. It is
reading packets on that network but it is not matching rules. (before I did
not have the 65.120.xx.xx network in HOME_NET)  The second I give it a valid
IP address it starts matching rules. Believe, I am just as perplexed as all.

>> It is reading traffic on eth1.
> And you acknowledge it as well.
>> However, when I start nagios it will run, but it will not match 
>> anything.
> What does nagios have to do with snort?

Sorry, as I mentioned a few messages previous to this I am also building a
nagios system at the same time and towards the end of a 16-hour day my
wording was getting garbled in my brain somewhere. I am also recovering a
1/2 TB oracle database at the same time with nasty data corruption. 
Heh, fighting fires on top of fires and trying to build management
infrastructure on top of all that. =(  (so that it can help me fight
fires,.... oh I have gone cross-eyed)

>> I get not a single alert.
> Not a single alert where?  You've been asked this before.  *Please* 
> show us your snort.conf file - grep -v "#" /etc/snort/snort.conf (or 
> whatever the correct path is.)  It's really hard to troubleshoot blind.

As I mentioned before, my snort config is currently vanilla (as in the
provided sample) with the exception of HOME_NET and EXTERNAL_NET. Yes, I
know that is not a good config to run permanenetly. Once I get the core
system working, I will start adding in my rulesets and customizations.

>> However, when I
>> assign eth1 a valid IP address on the 65.120.XX.XX network, it 
>> immediately starts matching. Within seconds my alert count starts 
>> climbing. (Note that when I say I am assigning it a valid IP address 
>> I also modify HOME_NET to reflect this)
> So it's not the same setup as the one that's failing.  Show us your 
> snort.conf file, *please*!  Show us the section of /var/log/messages 
> that shows you bringing up snort.
> You've already proven, to us and to yourself, that snort can see 
> traffic on an interface with no IP assigned.  (BTW, I'd be leery of 
> assigning to an interface.  x.x.x.0 is the designated address 
> for a network and should not be used as a "live" address, just as
> x.x.x.255 is the broadcast address for a network.  I wouldn't trust it 
> to work correctly, and it shouldn't be needed.  Your networking 
> scripts should have something like:
Yea, as I mentioned before the reason I tried this setting was because I saw
this as a solution to someone's problem in the mailing list archive. 
All Balls ( is the default route, always. That is exactly why I
would not run that setting permanently; I was merely using that setting as a
troubleshooting tool.

> ifconfig up
> bootproto none
> userctl no
> And that should work fine.
> Here's mine, for FreeBSD, and it works fine.
> bash-2.05b# grep ifconfig_xl0 /etc/rc.conf ifconfig_xl0="promisc up"
> bash-2.05b# ifconfig xl0
>        inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
>        ether 00:60:97:74:28:e7
>        media: Ethernet autoselect (100baseTX)
>        status: active
> PROMISC is obsoleted in RedHat, so you don't need to use that, but up 
> should work just fine.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu

This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.723 / Virus Database: 479 - Release Date: 7/19/2004

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.723 / Virus Database: 479 - Release Date: 7/19/2004

More information about the Snort-users mailing list