Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Snort-users] Snort will not detect anything on stealth interface unless I assign IP
From: Rhugga (snort-listsandiego420.com)
Date: Mon Jul 19 2004 - 08:58:23 CDT
Jason Haar wrote:
>On Sat, Jul 17, 2004 at 12:10:25PM -0700, Rhugga wrote:
>>I have attached 1 interface of from ISD box a hub containing our border
>>router and our 2 firewalls. I bring the interface up with no IP address
>>and snort will not start due to $eth1_ADDRESS being null.
>Well that's not right. I've run snort from RH7 to Fedora Core2 and it
>doesn't need an IP address.
>However, the interface has to be UP.
>Make sure your /etc/sysconfig/network-scripts/ifcfg-ethX looks like this:
>Change ethX appropriately.
>>snort will start when eth1 has this dummy IP address but no rules are
>What does tcpdump on that interface show? If it can't see traffic, then
>neither can snort. Actually "snort -v -i ethX" should do the same.
>>When I put a valid IP address on that interface in the same net as the
>>router and firewalls, snort then starts matching rules...
>Err... Now you're just getting freaky :-)
Oh, part of the problem is that I usually rip out Red Hat's cludgy
config system for my own init scripts and I don't use the sysconfig
directory for most things. I also rarely trust any of Red Hat's rpms for
core components such as mysql and openssl.
Is there any reason why this would not work:
ifconfig eth1 down
ifconfig eth1 0.0.0.0
ifconfig eth1 up
I tried this and snort would not start, complaining the HOME_NET was not
defined. FYI: The explicit ifconfig eth1 up on line 3 is not needed
according to the specs, the interface should be brought up automatically
in step 2.
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: