[Snort-users] Snort crossing interfaces?

Kloc, Alisha Alisha.Kloc at ...15504...
Wed Feb 1 12:00:47 EST 2012


Hi list,

I'm a new member so please let me know if I'm not doing this right.

We have a problem with Snort 2.9.0.5 on a Windows 2003 server that we can't figure out. When we install Snort, it gets the machine's interfaces wrong (i.e., we have eth0 configured as the primary interface, and eth1 as the Snort interface, but Snort only listens on eth0). We can't figure out where Snort is setting the interfaces, or how to stop it from crossing them.

What makes this problem particularly scary is that it can apparently cause our machine to bluescreen. During initial troubleshooting, we tried disabling eth1 and rebooting - but the reboot bluescreened. We have no idea how Snort getting the interfaces wrong is making that happen, but it's a pretty drastic failure and we're very concerned.

A couple of troubleshooting caveats: We have a locked design, meaning that we can't upgrade to a newer Snort; and we also can't compile/recompile the code. (We use the Windows .exe to install.)

Has anyone seen this before? Do you know where/how Snort identifies the host machine's interfaces, and how we can get it straightened out?

Thanks!
-Alisha Kloc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120201/ce455de0/attachment.html>


More information about the Snort-users mailing list