[Snort-users] snort daemon to listen to eth2 and eth3 in promiscuous mode

Ayodele Okeowo aymacro at ...11827...
Thu Feb 21 09:10:37 EST 2013


Did you run barnyard at all before you start running snort? Because I don't
see barnyard service running in the snort process you pasted.

Another thing also, you will have to change your rules from alert to pass,
drop, activate etc.

For testing to make sure snort alerts any traffic that is passed or
dropped, you should test with a simple rule like:

*pass any any <> any 80 (msg:"test-inline-rule"; rev:1;);*

Try double check the above and replace your alert rules with pass or drop;
but test first with the above simple rule. (reference snort manual 2.9.4)

Let us know how it goes.
Ayo


On Thu, Feb 21, 2013 at 5:42 AM, Kaushal Shriyan
<kaushalshriyan at ...11827...>wrote:

> Hi Ayodele
>
> I have the below settings in my snort.conf -> http://fpaste.org/F8ZO/
>
> cat /tmp/interfaces
> bond0     Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
>           inet addr:192.168.73.67  Bcast:192.168.73.255  Mask:255.255.255.0
>           inet6 addr: fe80::e2db:55ff:fe05:d00c/64 Scope:Link
>           UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
>           RX packets:1902153 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:232394243 (221.6 MiB)  TX bytes:93066331 (88.7 MiB)
>
> eth0      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
>           UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
>           RX packets:1101579 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:250497 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:169722435 (161.8 MiB)  TX bytes:93066331 (88.7 MiB)
>           Interrupt:194 Memory:d91a0000-d91b0000
>
> eth1      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0C
>           UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
>            RX packets:800574 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:62671808 (59.7 MiB)  TX bytes:0 (0.0 b)
>           Interrupt:202 Memory:d91d0000-d91e0000
>
> eth2      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0E
>           inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:1 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
>           Interrupt:210 Memory:d90a0000-d90b0000
>
> eth3      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0F
>           inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:1 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
>           Interrupt:218 Memory:d90d0000-d90e0000
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:104 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:5200 (5.0 KiB)  TX bytes:5200 (5.0 KiB)
>
> #ps aux | grep snort
> snort    21011  0.0  0.2 416992 71812 ?        Ssl  16:05   0:00
> /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
> root     21031  0.0  0.0  61172   748 pts/0    S+   16:09   0:00 grep snort
> I tried running /usr/sbin/snort -c /etc/snort/snort.conf -u snort -g snort
> --daq afpacket -i eth2:eth3 -Q but i dont see any traffic  in
> /valog/snort/alert file
>
> Please let me know if i am missing anything and if you any need any
> additional certifcate. Also the Datacenter folks have told us the port
> mirroring is done on the L3 switch running in L2 mode.
>
> Regards,
>
> Kaushal
>
>
>
>
> On Tue, Feb 19, 2013 at 11:25 PM, Kaushal Shriyan <
> kaushalshriyan at ...11827...> wrote:
>
>>
>>
>> On Tue, Feb 19, 2013 at 8:12 PM, Ayodele Okeowo <aymacro at ...11827...>wrote:
>>
>>> Nice! I will assume you are using the bond0 interface as your management
>>> interface and it's described in your snort config file.
>>>
>>> You shouldn't have any problem you just have to change the format of the
>>> command line to the one I pasted earlier.
>>>
>>> Ayo
>>>
>>>
>> Thanks a Lot Ayodele. Will update you as i progress and seek help here if
>> i get into issues.
>> Thanks everyone for the kind support. Much Appreciated.
>>
>> Regards,
>>
>> Kaushal
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130221/09ff12d1/attachment.html>


More information about the Snort-users mailing list