[Snort-users] Configure snort to use eth1

Jim B elemint at ...11827...
Tue Feb 28 10:21:03 EST 2006


To make it reflect snort -i eth1, I would just enter that somewhere in
/etc/init.d/snortd?

When I did that I got the following message after trying to restart snort
with /etc/init.d/snort restart



   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.3 (Build 14)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc., et al.

USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, console, or none  (alert file
alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F <bpf>   Read BPF filters from file <bpf>
        -g <gname> Run snort gid as <gname> group (or gid) after
initialization
        -h <hn>    Home network = <hn>
        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output
        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
        -l <ld>    Log to directory <ld>
        -L <file>  Log to this tcpdump file
        -m <umask> Set umask = <umask>
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -o         Change the rule testing order to Pass|Alert|Log
        -O         Obfuscate the logged IP addresses
        -p         Disable promiscuous mode sniffing
        -P <snap>  Set explicit snaplen of packet (default: 1514)
        -q         Quiet. Don't show banner and status report
        -r <tf>    Read and process tcpdump file <tf>
        -R <id>    Include 'id' in snort_intf<id>.pid file name
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current Snort configuration
        -u <uname> Run snort uid as <uname> user (or uid) after
initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link layer
        -y         Include year in timestamp in the alert and log files
        -z         Set assurance mode, match on established sesions (for
TCP)
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump


Uh, you need to tell me to do something...

: No such file or directory




Jim



On 2/28/06, James Lay <jlay at ...13475...> wrote:
>
>  Modify your /etc/init.d/snortd to reflect:
>
>
>
> snort –i eth1 ……
>
>
>
> James
>
>
>  ------------------------------
>
> *From:* snort-users-admin at lists.sourceforge.net [mailto:
> snort-users-admin at lists.sourceforge.net] *On Behalf Of *Jim B
> *Sent:* Tuesday, February 28, 2006 11:08 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Configure snort to use eth1
>
>
>
> I believe the scipt being used is /etc/init.d/snortd, I did restart the
> service with /etc/init.d/snortd restart.
>
>
>
> I am running Red Hat Enterprise 4, I got the rpm from rpmfind.net, the rpm
> is named            snort-2.3.3-1.2.el4.rf.i386.rpm
>
>
> I installed the rpm with rpm -i  snort-2.3.3-1.2.el4.rf.i386.rpm
>
>
>
>
>
>
> Jim
>
>
>
> On 2/28/06, *Patrick S. Harper* <patrick at ...4250...> wrote:
>
> Are you sure that is the script used to launch snort?  Also, did you
> bounce
> the service after you made the change?  A little more info like distro and
>
> install method would help too.
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto: snort-users-admin at lists.sourceforge.net] On Behalf Of Jim B
> Sent: Tuesday, February 28, 2006 10:17 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Configure snort to use eth1
>
> I have changed the config in /etc/init.d/snortd to eth1 but when I run a
> "ps
> aux grep snort" I still that eth0 is being used and if I grep eth in
> /etc/snort/snort.conf there is no reference to use eth0
>
> I want to configure snort to pull traffic from both eth0 and eth1 but
> mostly
> eth1.
>
>
>
> Jim
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060228/0119af2c/attachment.html>


More information about the Snort-users mailing list