Re: snort suddenly not capturing packets

["Carter Waxman (cwaxman)" <cwaxman () cisco com>]

Hello Ben,

Just out of curiosity, are you using the pcap DAQ? What version of libpcap do you have installed? I have experienced 
the same issue with Arch x64 and it seems to be tied to a versioning issue (libpcap 1.5.1-1 and above breaks in my 
case). Try either using the afpacket DAQ (add —daq afpacket to the command line) or downgrading to libpcap 1.4.0 (here 
is a link for convenience: http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz).

Let me know how that works,
Carter

From: Ben Jacobs-Swearingen <bjsdaiyu () gmail com<mailto:bjsdaiyu () gmail com>>
Date: Wednesday, January 8, 2014 7:39 PM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] snort suddenly not capturing packets

Hello:

I recently restarted snort  on an ArchLinux ARM (Raspberry Pi) sensor with new rules (and a slightly modified 
snort.conf) ; the post-reboot snort will launch without explicit errors but appears not to be listening to any 
interfaces on the sensor and I am unable to figure out why.  Snort had been working correctly for months prior to this 
change.

The sensor has two interfaces, eth0 and eth1; mirrored traffic (for snort to process) is being sent to eth0 (which is 
up and running though it does not have a configured IP address), while eth1 has a configured address on an admin 
segment. prior to changing the rules and rebooting snort, snort was listening to and correctly processing traffic on 
eth0.

-  "tcpdump -i eth0" works just fine, it sees all mirrored traffic

- "snort -dev -l . -i eth0" makes it to the "listening" stage but appears to not pick up any of the traffic i generate 
across the interface; again, tcpdump sees this traffic just fine.  "snort -dev ..."  also does not work when I set it 
to listen on eth1 (tcpdump works there as well).

- "snort -r <bad.pcap> -c .../snort.conf" with <bad.pcap> containing traffic I want flagged DOES work correctly: the 
traffic is processed according to the rules, alerts are correct and sent to the correct repository.

I suspect my changes to snort.conf might have introduced a problem that I simply am not seeing so have attached the 
conf file for examination (but am confused in that case why "snort -r" is working since it's using the same conf file).

Alternately, I have attached an strace in case something with the interface setup somehow got screwed up (as suggest by 
the fact that snort replay is working). I see in strace there are some errors with setsockopt(...) which might be more 
relevant to the capturing issue; any idea what might be causing those, assuming that those aren't par for the course?

The only similar posts I could find on this topic discuss various issues with DAQ; I don't see how those might apply in 
my case since the installation was working for months prior to today.

Thanks for any help.

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!