|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Francis Yom (fyom
symmsys.com)Date: Tue Jul 02 2002 - 09:24:26 CDT
Thank for the advice Dan, but it's not it. I have snort running on an
old but reliable 10BaseT hub. It use to be able to work just fine under
the older 1.73 version of snort.
I did have problems getting the thing into promisc mode initially. I
have a Intel E100B adapter in it. Using the e100.o module you can
compile from Intel's source, I could not get it to go promisc. I
switched over to the open source (David Hine's) eepro100 module, and I
could get it to run in promisc as that point.
I do have some snorting. The stream4 preprocessor seems to work and I
can detect port 21 stealth activity, but that is it.
I have all the rules enabled and the box is a Pentium Pro 180 (400
bogomips). I'm running Debian with Kernel 2.4.19-pre1-ac2 with rmap VM
and xfs filesystem. System has run stable - no oops or crashes or any
other weirdness.
So what do you think?
-f
PS. Any snorters here from NYC? I'm going to be in town for 4th of
July. :-)
On Tue, 2002-07-02 at 10:05, Dan Fiorito wrote:
> If it is an Auto Sense hub it will act as a switch between speeds. Make sure all devices are running at the same speed.
>
> Dan
>
> -----Original Message-----
> From: Francis Yom [mailto:fyomsymmsys.com]
> Sent: Tue 7/2/2002 9:22 AM
> To: Jason Gauthier
> Cc: 'Eric Ferguson'; snort-userslists.sourceforge.net
> Subject: RE: [Snort-users] Promiscuous monitoring
>
>
>
> I have the exact same problem. I hope someone can pass a clue as to
> what might be causing this.
>
> -francis
>
> On Tue, 2002-07-02 at 08:02, Jason Gauthier wrote:
> > My first thought is that the EXTERNAL_NET variable isn't set right.
> > Is that assigned as "any"?
> >
> >
> >
> > -----Original Message-----
> > From: Eric Ferguson [mailto:eric.fergusonjaguartech.com]
> > Sent: Tuesday, July 02, 2002 7:06 AM
> > To: snort-userslists.sourceforge.net
> > Subject: [Snort-users] Promiscuous monitoring
> >
> >
> >
> > I have Snort 1.8.6 running on Red Hat 7.3 with ACID and MySQL. I start
> > Snort with the -v option to verify that Snort is seeing traffic and all
> > seems well. My only problem is that attacks (ones I generate myself) are
> > only logged if directed at the Snort IP address. If I direct an attack to
> > another machine on the same subnet, Snort does not identify the attack (yes
> > I am running a hub and not a switch...:-)). Sounds like something simple to
> > me, I am just not sure what it is.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Eric Ferguson - NNCSE
> >
> > 4440 Embassy Drive
> >
> > Sykesville, Md. 21784
> >
> > phone: 410-876-0585
> >
> > cell: 443-677-6119
> >
> > email: eric.fergusonjaguartech.com
> >
> >
> >
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]