[Snort-users] Configure snort to use eth1

James Lay jlay at ...13475...
Tue Feb 28 12:46:12 EST 2006


Can you send me that snortd file?  I'm curious to see how it looks.

James

On Tue, 28 Feb 2006 12:05:35 -0700
"Jim B" <elemint at ...11827...> wrote:

> That actually worked.   But I just get the following
> in /var/log/snort/alert
> 
> 
> 02/16-08:48:08.515315  [**] [116:3:1] (snort_decoder) WARNING: IP dgm
> len < IP Hdr len! [**]
> 02/16-08:48:08.515323  [**] [116:3:1] (snort_decoder) WARNING: IP dgm
> len < IP Hdr len! [**]
> 
> 
> Do you recommend running snort manually like that instead of the
> using the file in /etc/init.d/snortd?
> 
> Here is the output from ps aux |grep snort
> 
> root      9660  0.1  4.6 52472 48508 ?       Ss   11:49   0:01 snort
> -i eth1 -D -N -c /etc/snort/snort.conf
> 
> 
> Jim
> 
> 
> On 2/28/06, Jim B <elemint at ...11827...> wrote:
> >
> > I just chaned it:
> >
> >  grep D /etc/init.d/snortd |grep snort |grep bin
> >                 daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
> > $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g
> > $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
> >                   daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
> > $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i eth1 -u $USER -g
> > $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
> >               daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
> > $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g
> > $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF -s
> >
> > but when I do a ps aux |grep snort* I still get *
> >
> > **
> > snort     9592  1.8  4.7 54572 48916 ?       Ss   11:37   0:01
> > /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> > /etc/snort/snort.conf -l /var/log/snort -s
> >
> >
> > I know this file is changing things becuase if I enter something
> > wrong I get an error back and snort does not start.
> >
> > Jim
> >
> >
> >
> > On 2/28/06, James Lay <jlay at ...13475...> wrote:
> > >
> > >  Find the line that says snort –D and just add that –i eth1 to it
> > > at the beginning of the line.  Here's mine:
> > >
> > >
> > >
> > > /usr/local/bin/snort -i eth1 -D -N -o -c /etc/snort/snort.conf
> > >
> > >
> > >
> > > James
> > >
> > >
> > >  ------------------------------
> > >
> > > *From:* Jim B [mailto: elemint at ...11827...]
> > > *Sent:* Tuesday, February 28, 2006 11:21 AM
> > > *To:* jlay
> > > *Cc:* snort-users at lists.sourceforge.net
> > > *Subject:* Re: [Snort-users] Configure snort to use eth1
> > >
> > >
> > >
> > > To make it reflect snort -i eth1, I would just enter that
> > > somewhere in /etc/init.d/snortd?
> > >
> > >
> > >
> > > When I did that I got the following message after trying to
> > > restart snort with /etc/init.d/snort restart
> > >
> > >
> > >
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.3.3 (Build 14)
> > >    ''''    By Martin Roesch & The Snort Team:
> > > http://www.snort.org/team.html
> > >            (C) Copyright 1998-2004 Sourcefire Inc., et al.
> > >
> > > USAGE: snort [-options] <filter options>
> > > Options:
> > >         -A         Set alert mode: fast, full, console, or none
> > > (alert file alerts only)
> > >                    "unsock" enables UNIX socket logging
> > > (experimental). -b         Log packets in tcpdump format (much
> > > faster!) -c <rules> Use Rules File <rules>
> > >         -C         Print out payloads with character data only
> > > (no hex) -d         Dump the Application Layer
> > >         -D         Run Snort in background (daemon) mode
> > >         -e         Display the second layer header info
> > >         -f         Turn off fflush() calls after binary log writes
> > >         -F <bpf>   Read BPF filters from file <bpf>
> > >         -g <gname> Run snort gid as <gname> group (or gid) after
> > > initialization
> > >         -h <hn>    Home network = <hn>
> > >         -i <if>    Listen on interface <if>
> > >         -I         Add Interface name to alert output
> > >         -k <mode>  Checksum mode
> > > (all,noip,notcp,noudp,noicmp,none) -l <ld>    Log to directory
> > > <ld> -L <file>  Log to this tcpdump file
> > >         -m <umask> Set umask = <umask>
> > >         -n <cnt>   Exit after receiving <cnt> packets
> > >         -N         Turn off logging (alerts still work)
> > >         -o         Change the rule testing order to Pass|Alert|Log
> > >         -O         Obfuscate the logged IP addresses
> > >         -p         Disable promiscuous mode sniffing
> > >         -P <snap>  Set explicit snaplen of packet (default: 1514)
> > >         -q         Quiet. Don't show banner and status report
> > >         -r <tf>    Read and process tcpdump file <tf>
> > >         -R <id>    Include 'id' in snort_intf<id>.pid file name
> > >         -s         Log alert messages to syslog
> > >         -S <n=v>   Set rules file variable n equal to value v
> > >         -t <dir>   Chroots process to <dir> after initialization
> > >         -T         Test and report on the current Snort
> > > configuration -u <uname> Run snort uid as <uname> user (or uid)
> > > after initialization
> > >         -U         Use UTC for timestamps
> > >         -v         Be verbose
> > >         -V         Show version number
> > >         -w         Dump 802.11 management and control frames
> > >         -X         Dump the raw packet data starting at the link
> > > layer -y         Include year in timestamp in the alert and log
> > > files -z         Set assurance mode, match on established sesions
> > > (for TCP)
> > >         -?         Show this information
> > > <Filter Options> are standard BPF options, as seen in TCPDump
> > >
> > >
> > > Uh, you need to tell me to do something...
> > >
> > > : No such file or directory
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Jim
> > >
> > >
> > >
> > >
> > >
> > > On 2/28/06, *James Lay* < jlay at ...13475...> wrote:
> > >
> > > Modify your /etc/init.d/snortd to reflect:
> > >
> > >
> > >
> > > snort –i eth1 ……
> > >
> > >
> > >
> > > James
> > >
> > >
> > >  ------------------------------
> > >
> > > *From:* snort-users-admin at lists.sourceforge.net [mailto:
> > > snort-users-admin at lists.sourceforge.net ] *On Behalf Of *Jim B
> > > *Sent:* Tuesday, February 28, 2006 11:08 AM
> > > *To: *snort-users at lists.sourceforge.net
> > > *Subject: *Re: [Snort-users] Configure snort to use eth1
> > >
> > >
> > >
> > > I believe the scipt being used is /etc/init.d/snortd, I did
> > > restart the service with /etc/init.d/snortd restart.
> > >
> > >
> > >
> > > I am running Red Hat Enterprise 4, I got the rpm from
> > > rpmfind.net, the rpm is named
> > > snort-2.3.3-1.2.el4.rf.i386.rpm
> > >
> > >
> > > I installed the rpm with rpm -i  snort-2.3.3-1.2.el4.rf.i386.rpm
> > >
> > >
> > >
> > >
> > >
> > >
> > > Jim
> > >
> > >
> > >
> > > On 2/28/06, *Patrick S. Harper* <
> > > patrick at ...4250...> wrote:
> > >
> > > Are you sure that is the script used to launch snort?  Also, did
> > > you bounce
> > > the service after you made the change?  A little more info like
> > > distro and
> > > install method would help too.
> > >
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto: snort-users-admin at lists.sourceforge.net] On Behalf Of
> > > Jim B Sent: Tuesday, February 28, 2006 10:17 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] Configure snort to use eth1
> > >
> > > I have changed the config in /etc/init.d/snortd to eth1 but when
> > > I run a "ps
> > > aux grep snort" I still that eth0 is being used and if I grep eth
> > > in /etc/snort/snort.conf there is no reference to use eth0
> > >
> > > I want to configure snort to pull traffic from both eth0 and eth1
> > > but mostly
> > > eth1.
> > >
> > >
> > >
> > > Jim
> > >
> > >
> > >
> > >
> > >
> >
> >




More information about the Snort-users mailing list