|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] Snort will not detect anything on stealth interface unless I assign IP
From: Rhugga (snort-list
sandiego420.com)
Date: Mon Jul 19 2004 - 08:58:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jason Haar wrote:
>On Sat, Jul 17, 2004 at 12:10:25PM -0700, Rhugga wrote:
>
>
>>I have attached 1 interface of from ISD box a hub containing our border
>>router and our 2 firewalls. I bring the interface up with no IP address
>>and snort will not start due to $eth1_ADDRESS being null.
>>
>>
>
>Well that's not right. I've run snort from RH7 to Fedora Core2 and it
>doesn't need an IP address.
>
>However, the interface has to be UP.
>
>Make sure your /etc/sysconfig/network-scripts/ifcfg-ethX looks like this:
>
>DEVICE=eth1
>ONBOOT=yes
>BOOTPROTO=static
>IPADDR=0.0.0.0
>NETMASK=0.0.0.0
>
>Change ethX appropriately.
>
>
>
>>snort will start when eth1 has this dummy IP address but no rules are
>>getting detected.
>>
>>
>
>What does tcpdump on that interface show? If it can't see traffic, then
>neither can snort. Actually "snort -v -i ethX" should do the same.
>
>
>
>>When I put a valid IP address on that interface in the same net as the
>>router and firewalls, snort then starts matching rules...
>>
>>
>
>Err... Now you're just getting freaky :-)
>
>
>
Oh, part of the problem is that I usually rip out Red Hat's cludgy
config system for my own init scripts and I don't use the sysconfig
directory for most things. I also rarely trust any of Red Hat's rpms for
core components such as mysql and openssl.
Is there any reason why this would not work:
ifconfig eth1 down
ifconfig eth1 0.0.0.0
ifconfig eth1 up
I tried this and snort would not start, complaining the HOME_NET was not
defined. FYI: The explicit ifconfig eth1 up on line 3 is not needed
according to the specs, the interface should be brought up automatically
in step 2.
Rhugga
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]