[Snort-users] Re: Snort not listening on interface

This is a discussion on [Snort-users] Re: Snort not listening on interface within the Snort forums, part of the System Security and Security Related category; I sent in this message earlier that doesn't seem to have appeared on the list yet, but I think ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Re: Snort not listening on interface

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-10-2006
Paul Greene
 
Posts: n/a
Default [Snort-users] Re: Snort not listening on interface
I sent in this message earlier that doesn't seem to have appeared on the
list yet, but I think I found the problem anyway. (maybe I sent the
original to the admin address by mistake)

When I checked the running processes, the startup command was listed and
it was listening on eth0. I wanted it to listen on eth1, so I modified
the startup script in /etc/init.d/snort to point to eth1, restarted the
service, waited a couple of hours and the alerts started coming in. So,
all is well (apparently).

If this will help someone with a similar problem, maybe it's worth the
resend.

Paul Greene wrote:
> I recently installed Snort using the "Snort Enterprise Install"
> instructions by Patrick Harper. During the install I had one NIC card
> installed, and this was assigned an IP address on my internal network.
> I ran a few nmap scans against the Snort sensor to make sure it was
> capturing alerts and all seemed well.
>
> I added a second NIC after everything was working fine, and did not
> assign it an IP address. I connected a hub to the CAT5 cable coming
> from my cable modem, plugged the firewall into the hub, and plugged
> this new 2nd NIC card from the Snort sensor into the hub.
>
> Traffic in and out of the network is flowing fine through the
> firewall, but the Snort sensor isn't capturing any alerts through this
> new 2nd interface. After being plugged into the wide open internet for
> about 18 hours now, I can't believe the box has not been scanned by
> some script kiddie yet. I also went out to the Gibson Research website
> and ran the port scan back against my firewall, which I thought should
> generate some alerts, but, again, nothing came up.
>
> Running an ifconfig command on this 2nd NIC looked like the card was
> not in promiscuous mode, so I ran a "ifconfig eth1 promisc" command,
> and then the promisc option was now showing on the card.
>
> The OS is Centos 4.2, Snort 2.4.3. The only rule set I disabled was
> SNMP (because my internal wireless router was generating a bunch of
> false positives).
>
> Any suggestions?
>
> Paul Greene
>



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=...720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 03:01 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0