Snort mailing list archives
RE: Snort Just Does Not Want To Work on Shadow Interrface
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 20 Jul 2004 09:25:48 -0500
How is $HOME_NET configured when you do have an IP address assigned? Also, which version of Snort are you using, you said 1.2, but I think you are wrong as that would be an incredibly old version since we are up to 2.2.0RC1 now. With Redhat I always used something like this: DEVICE=eth1 ONBOOT=yes USRCTL=no -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rhugga Sent: Tuesday, July 20, 2004 8:56 AM To: Snort-User Mailing List Subject: [Snort-users] Snort Just Does Not Want To Work on Shadow Interrface I will be as terse as possible here, because I have tried configs from people that claim they should work but aren't. I have read the documentatrion probably 5 times now, (well the documentation says version 1.0, the link on the website says 1.1, but the version I am using is 1.2) Anyway. My system is vanilla RH 9 with all updates except I build my own openssl library and also using mysql 4.x in /usr/local. ( I have compeltely re-installed since I first started just to eliminate ANY possible issues because some people claim snort 1.2 works as I desire on RH 9) eth0 ------------------------------- IP address: 10.250.200.33 Netmask: 255.255.255.0 SysKonnect Copper GB NIC directly connected to a switch in our Black Diamond. (Cat 6 cabling with no patch panels in between) eth1 -------------------------------- IP address: None Onboard Intel NIC connected to a 4 port hub. Also on this hub is a Cisco 3600 router and 2 Netscreen Firewalls. The network on the hub is 65.120.XX.XX with netmask of 255.255.255.240 Here are the contents of the /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=0.0.0.0 NETMASK=0.0.0.0 Note: I added this after I initially tried to get it working without adding an IP. I saw this as a solution to some people's problems in the mailing list archvie. If I look at the traffic on eth1: syslog:/usr/local/snort/bin #./snort -i eth1 -v Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ It is reading traffic on eth1. However, when I start nagios it will run, but it will not match anything. I get not a single alert. However, when I assign eth1 a valid IP address on the 65.120.XX.XX network, it immediately starts matching. Within seconds my alert count starts climbing. (Note that when I say I am assigning it a valid IP address I also modify HOME_NET to reflect this) Here is how I define HOME_NET when I am trying to use snort _without_ an IP address: var HOME_NET [10.250.200.0/24,10.250.201.0/24,10.250.202.0/24,10.250.203.0/24,10.250. 204.0/24,10.250.205.0/24,10.250.206.0/24,65.120.XX.0/28] var EXTERNAL_NET any What am I doing wrong? According to the documentation and the responses to my first emails, this config is correct. What gives?? Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Paul Schmehl (Jul 20)
- <Possible follow-ups>
- RE: Snort Just Does Not Want To Work on Shadow Interrface Joshua Berry (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Harper, Patrick (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)
- RE: Snort Just Does Not Want To Work on Shadow Interrface Patrick S. Harper (Jul 20)
- Re: Snort Just Does Not Want To Work on Shadow Interrface Rhugga (Jul 20)