Snort mailing list archives

RE: Snort Just Does Not Want To Work on Shadow Interrface

From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 20 Jul 2004 09:25:48 -0500

How is $HOME_NET configured when you do have an IP address assigned?
Also, which version of Snort are you using, you said 1.2, but I think
you are wrong as that would be an incredibly old version since we are up
to 2.2.0RC1 now.

With Redhat I always used something like this:

DEVICE=eth1
ONBOOT=yes
USRCTL=no

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rhugga
Sent: Tuesday, July 20, 2004 8:56 AM
To: Snort-User Mailing List
Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow
Interrface

I will be as terse as possible here, because I have tried configs from 
people that claim they should work but aren't. I have read the 
documentatrion probably 5 times now, (well the documentation says 
version 1.0, the link on the website says 1.1, but the version I am 
using is 1.2)

Anyway. My system is vanilla RH 9 with all updates except I build my own

openssl library and also using mysql 4.x in /usr/local. ( I have 
compeltely re-installed since I first started just to eliminate ANY 
possible issues because some people claim snort 1.2 works as I desire on

RH  9)

eth0
-------------------------------
IP address: 10.250.200.33
Netmask: 255.255.255.0
SysKonnect Copper GB NIC directly connected to a switch in our Black 
Diamond. (Cat 6 cabling with no patch panels in between)

eth1
--------------------------------
IP address: None
Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco

3600 router and 2 Netscreen Firewalls.

The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240

Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=0.0.0.0
NETMASK=0.0.0.0

Note: I added this after I initially tried to get it working without 
adding an IP. I saw this as a solution to some people's problems in the 
mailing list archvie.

If I look at the traffic on eth1:

syslog:/usr/local/snort/bin #./snort -i eth1 -v
Running in packet dump mode
Log directory = /var/log/snort

Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
       eth1: no IPv4 address assigned

       --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1

       --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.3 (Build 27)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

It is reading traffic on eth1. However, when I start nagios it will run,

but it will not match anything. I get not a single alert. However, when 
I assign eth1 a valid IP address on the 65.120.XX.XX network, it 
immediately starts matching. Within seconds my alert count starts 
climbing. (Note that when I say I am assigning it a valid IP address I 
also modify HOME_NET to reflect this)

Here is how I define HOME_NET when I am trying to use snort _without_ an

IP address:
var HOME_NET 
[10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250.
204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28] 

var EXTERNAL_NET any

What am I doing wrong? According to the documentation and the responses 
to my first emails, this config is correct.

What gives??

Thx,
Rhugga


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
  - Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
    - Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
    - Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
    - RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- <Possible follow-ups>
- RE: Snort Just Does Not Want To Work on Shadow Interrface Joshua Berry (Jul 20)
  - Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Harper, Patrick (Jul 20)
  - Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
    - RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)