[Snort-users] snort daemon to listen to eth2 and eth3 in promiscuous mode

Kaushal Shriyan kaushalshriyan at ...11827...
Thu Feb 21 05:42:36 EST 2013


Hi Ayodele

I have the below settings in my snort.conf -> http://fpaste.org/F8ZO/

cat /tmp/interfaces
bond0     Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          inet addr:192.168.73.67  Bcast:192.168.73.255  Mask:255.255.255.0
          inet6 addr: fe80::e2db:55ff:fe05:d00c/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:1902153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:232394243 (221.6 MiB)  TX bytes:93066331 (88.7 MiB)

eth0      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:1101579 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:169722435 (161.8 MiB)  TX bytes:93066331 (88.7 MiB)
          Interrupt:194 Memory:d91a0000-d91b0000

eth1      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:800574 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:62671808 (59.7 MiB)  TX bytes:0 (0.0 b)
          Interrupt:202 Memory:d91d0000-d91e0000

eth2      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0E
          inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
          Interrupt:210 Memory:d90a0000-d90b0000

eth3      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0F
          inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
          Interrupt:218 Memory:d90d0000-d90e0000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:104 errors:0 dropped:0 overruns:0 frame:0
          TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5200 (5.0 KiB)  TX bytes:5200 (5.0 KiB)

#ps aux | grep snort
snort    21011  0.0  0.2 416992 71812 ?        Ssl  16:05   0:00
/usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort
root     21031  0.0  0.0  61172   748 pts/0    S+   16:09   0:00 grep snort
I tried running /usr/sbin/snort -c /etc/snort/snort.conf -u snort -g snort
--daq afpacket -i eth2:eth3 -Q but i dont see any traffic  in
/valog/snort/alert file

Please let me know if i am missing anything and if you any need any
additional certifcate. Also the Datacenter folks have told us the port
mirroring is done on the L3 switch running in L2 mode.

Regards,

Kaushal




On Tue, Feb 19, 2013 at 11:25 PM, Kaushal Shriyan
<kaushalshriyan at ...11827...>wrote:

>
>
> On Tue, Feb 19, 2013 at 8:12 PM, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
>> Nice! I will assume you are using the bond0 interface as your management
>> interface and it's described in your snort config file.
>>
>> You shouldn't have any problem you just have to change the format of the
>> command line to the one I pasted earlier.
>>
>> Ayo
>>
>>
> Thanks a Lot Ayodele. Will update you as i progress and seek help here if
> i get into issues.
> Thanks everyone for the kind support. Much Appreciated.
>
> Regards,
>
> Kaushal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130221/a3c63278/attachment.html>


More information about the Snort-users mailing list