[Dshield] Snort listen on non-address interface

Brian Jameson brian at jameson.co.uk
Fri Aug 22 11:43:44 GMT 2003


Nguyen,
	Hi, try snort in sniffer mode reporting on all packets (snort -v -i eth1).
This will show you if the interface is working. If you do get something then
it looks like you have something odd in your .conf file or of course you are
not setting off any alerts in which case use an existing rule as a template
to create an alert tcp any any -> any any type rule.
regards,
Brian

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Nguyen Nhu Hao
Sent: 23 August 2003 09:47
To: General DShield Discussion List
Subject: [Dshield] Snort listen on non-address interface


Hello all,
I have a Redhat box with 2 network card and I would like to run snort listen
on one interface and another interface use for analyst. On the interface
that snort listen, I don't like to asign IP address for it, but when snort
start, I cannot capture any packets. How can I have to solve the problem ?
Here is my configure

[root at linhcanh snort]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:60:B0:67:9E:9B
          inet addr:172.16.5.100  Bcast:172.16.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5892 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2792 errors:0 dropped:0 overruns:319 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:11 Base address:0x4800

eth1      Link encap:Ethernet  HWaddr 00:02:A5:40:7E:7A
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0x4840

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:256 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

[root at linhcanh snort]#

And snort script

case "$1" in
  start)
        echo -n "Starting snort: "
       cd /var/log/snort
        daemon /usr/local/bin/snort -i eth1 -d -D -A full -l
/var/log/snort -c /etc/snortd/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;


Thank you in advances
Nguyen Nhu Hao

Nguyen Nhu Hao



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list