OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jason Lewis (jlewispacketnexus.com)
Date: Tue Apr 02 2002 - 17:19:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I always use separate conf files for each instance. I have run snort on a
    quad card in a Sun box with no problem.

    jas

    -----Original Message-----
    From: snort-users-adminlists.sourceforge.net
    [mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Scott
    Nursten
    Sent: Tuesday, April 02, 2002 3:22 PM
    To: Erek Adams; Chris Frazier - PA
    Cc: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] Snort Solaris 8 with quad card

    Another very glaring fact is that you are using the same conf.file (or are
    you?) for both snort processes. Now, it's possible (but IMHO, not likely)
    that you have your var's setup to cover the networks in both VLAN's...., but
    if you don't, that could also be the problem.

    Regards,

    Scott

    On 2/4/02 8:28 pm, "Erek Adams" <erektheadamsfamily.net> wrote:

    > On Tue, 2 Apr 2002, Chris Frazier - PA wrote:
    >
    >> I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces
    >> qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and
    >> have Snort listen on those interfaces using separate commands:
    >>
    >> snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2
    >> snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3
    >>
    >> When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does
    >> nothing. If I kill the snort running on qfe3, and just do a tcpdump -i
    >> qfe3, and run tthe scans again, I see the traffic.
    >
    > Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and
    run
    > scans, do you see the traffic? Where does this traffic come from? A
    third
    > machine? If just run the qfe3 instance (as above), does it log? Running
    a
    > 'snort -vade -i qfe3' while scanning--Does that show any data?
    >
    >> So am I doing something completely wrong, or am I trying to do something
    >> that is not possible.
    >
    > It all depends. :) 'Not Possible' just means someone else hasn't done it
    > yet. ;-)
    >
    >> Any help is greatly appreciated.
    >
    > Cheers!
    >
    > -----
    > Erek Adams
    > Nifty-Type-Guy
    > TheAdamsFamily.Net
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    > 

    --

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users