Snort mailing list archives
Re: Snort Solaris 8 with quad card
From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 02 Apr 2002 21:21:46 +0100
Another very glaring fact is that you are using the same conf.file (or are you?) for both snort processes. Now, it's possible (but IMHO, not likely) that you have your var's setup to cover the networks in both VLAN's...., but if you don't, that could also be the problem. Regards, Scott On 2/4/02 8:28 pm, "Erek Adams" <erek () theadamsfamily net> wrote:
On Tue, 2 Apr 2002, Chris Frazier - PA wrote:I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and have Snort listen on those interfaces using separate commands: snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2 snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3 When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does nothing. If I kill the snort running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans again, I see the traffic.Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and run scans, do you see the traffic? Where does this traffic come from? A third machine? If just run the qfe3 instance (as above), does it log? Running a 'snort -vade -i qfe3' while scanning--Does that show any data?So am I doing something completely wrong, or am I trying to do something that is not possible.It all depends. :) 'Not Possible' just means someone else hasn't done it yet. ;-)Any help is greatly appreciated.Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Solaris 8 with quad card Chris Frazier - PA (Apr 02)
- Re: Snort Solaris 8 with quad card Erek Adams (Apr 02)
- Re: Snort Solaris 8 with quad card Scott Nursten (Apr 02)
- RE: Snort Solaris 8 with quad card Jason Lewis (Apr 02)
- Re: Snort Solaris 8 with quad card Scott Nursten (Apr 02)
- <Possible follow-ups>
- RE: Snort Solaris 8 with quad card Chris Frazier - PA (Apr 03)
- Re: Snort Solaris 8 with quad card Erek Adams (Apr 02)