Welp, I finally fixed it. I set up eth1, flipped my cable over, set snort
to use eth1, and boom, it started working. My only guess is that eth0 does
not support promiscuous mode. I went back and forth a couple of times just
to make sure I didn't do anything else differently, and it's definitely the
Ethernet card. For anyone else with the problem, it's a Dell PowerEdge
2550 rackmount server.

Thanks for all your help!

Dave

At 04:20 PM 11/26/2001 -0600, you wrote:
>Well, if it were my machine, I'd first delete all rpm's pertaining to
>libpcap, then go into the /usr/local/lib and /usr/lib directories and
>delete anything that smelled of libpcap.
>
>Then, reinstall from source the 0.6.2 libpcap stuff. Unfortunately, I
>don't know any other way to do it.
>
>
>Mike
>
>-----Original Message-----
>From: David Wilkeson [mailto:davelistcboss.com]
>Sent: Monday, November 26, 2001 3:34 PM
>To: Michael Aylor
>Subject: RE: [Snort-users] Snort on Linux Help
>
>
>I did that, and they were both loaded (even though I previously thought
>I
>disabled them). However, removing them did no good.
>
>The problem is definitely with libpcap. I completely removed my libpcap
>
>RPMs and snort still started up and did the same thing as it did every
>other time. How can you check what libpcap it is using?
>
>Dave
>
>At 10:47 AM 11/26/2001 -0600, you wrote:
> >Oh yeah, thought of something else.
> >
> >
> >When you run ntsysv, does ipchains or iptables show as startup daemons?
> >If so, uncheck them, reboot.
> >
> >
> >Mike
> >
> >-----Original Message-----
> >From: David Wilkeson [mailto:davelistcboss.com]
> >Sent: Monday, November 26, 2001 10:15 AM
> >To: Chris Grout; snort-userslists.sourceforge.net
> >Subject: RE: [Snort-users] Snort on Linux Help
> >
> >
> >At 03:39 PM 11/21/2001 -0800, you wrote:
> > >I'll ask the dumb questions...
> > >
> > >1. With Snort or your Ethereal running, does 'ifconfig' really show
> > >that interface as being in promiscious mode?
> >
> >Nope. However, when I type "ifconfig eth0 promisc" it goes into
> >promiscuous mode, but it doesn't change the output of ethereal or
> >snort. So to recap, the syslog indicates the interface entering and
> >leaving promiscuous mode, but ifconfig does not report it in
>promiscuous
> >
> >mode unless I manually put it into promiscuous mode.
> >
> > >2. You are running this as root or with root priveledges right? I'd
> > >expect it to complain loudly if you weren't but figured I'd ask
> >anyways.
> > >You do need root privs to put the NIC in to promisc mode and it
>sounds
> > >like syslog is reporting it as working. (but these are thee dumb
> > >questions)
> >
> >Yes I am.
> >
> > >3. What brand of Linux? RedHat? Debian? Suse?
> >
> >Redhat, loaded by Dell.
> >
> > >4. With it running, do a 'netstat -i' (obsfucate your IP just to be
> > >safe), and send me the output. I think '-i' works in linux...
> >
> >Are you sure that's the one you want? It really doesn't show much of
> >anything other than counters.
> >
> >Dave
> >
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-userslists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]