OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Snort-users] Snort Just Does Not Want To Work on Shadow Interrface

From: Rhugga (snort-listsandiego420.com)
Date: Tue Jul 20 2004 - 17:18:20 CDT

Paul Schmehl wrote:

> --On Tuesday, July 20, 2004 6:55 AM -0700 Rhugga
> <snort-listsandiego420.com> wrote:
>
>>
>> If I look at the traffic on eth1:
>>
>> syslog:/usr/local/snort/bin #./snort -i eth1 -v
>> Running in packet dump mode
>> Log directory = /var/log/snort
>>
>> Initializing Network Interface eth1
>> OpenPcap() device eth1 network lookup:
>> eth1: no IPv4 address assigned
>>
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Decoding Ethernet on interface eth1
>>
>> --== Initialization Complete ==--
>>
>> -*> Snort! <*-
>> Version 2.1.3 (Build 27)
>> By Martin Roesch (roeschsourcefire.com, www.snort.org)
>> 07/20-06:28:39.383108 207.158.24.130 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43725 IpLen:20 DgmLen:104
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
>> 07/20-06:28:39.383705 207.158.24.130 -> 65.120.XX.XX
>> IPV6-CRYPT TTL:52 TOS:0x0 ID:43726 IpLen:20 DgmLen:104
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>
>>
> So snort *is* working. You can see it with your own eyes.
>

Yes, using Pat Harper's info I got to this point a few emails back. It
is reading packets on that network but it is not matching rules. (before
I did not have the 65.120.xx.xx network in HOME_NET) The second I give
it a valid IP address it starts matching rules. Believe, I am just as
perplexed as all.

>> It is reading traffic on eth1.
>
>
> And you acknowledge it as well.
>
>> However, when I start nagios it will run,
>> but it will not match anything.
>
>
> What does nagios have to do with snort?

Sorry, as I mentioned a few messages previous to this I am also building
a nagios system at the same time and towards the end of a 16-hour day my
wording was getting garbled in my brain somewhere. I am also recovering
a 1/2 TB oracle database at the same time with nasty data corruption.
Heh, fighting fires on top of fires and trying to build management
infrastructure on top of all that. =( (so that it can help me fight
fires,.... oh I have gone cross-eyed)

>
>> I get not a single alert.
>
>
> Not a single alert where? You've been asked this before. *Please*
> show us your snort.conf file - grep -v "#" /etc/snort/snort.conf (or
> whatever the correct path is.) It's really hard to troubleshoot blind.

As I mentioned before, my snort config is currently vanilla (as in the
provided sample) with the exception of HOME_NET and EXTERNAL_NET. Yes, I
know that is not a good config to run permanenetly. Once I get the core
system working, I will start adding in my rulesets and customizations.

>
>> However, when I
>> assign eth1 a valid IP address on the 65.120.XX.XX network, it
>> immediately starts matching. Within seconds my alert count starts
>> climbing. (Note that when I say I am assigning it a valid IP address I
>> also modify HOME_NET to reflect this)
>>
> So it's not the same setup as the one that's failing. Show us your
> snort.conf file, *please*! Show us the section of /var/log/messages
> that shows you bringing up snort.
>
> You've already proven, to us and to yourself, that snort can see
> traffic on an interface with no IP assigned. (BTW, I'd be leery of
> assigning 0.0.0.0 to an interface. x.x.x.0 is the designated address
> for a network and should not be used as a "live" address, just as
> x.x.x.255 is the broadcast address for a network. I wouldn't trust it
> to work correctly, and it shouldn't be needed. Your networking
> scripts should have something like:
>
Yea, as I mentioned before the reason I tried this setting was because I
saw this as a solution to someone's problem in the mailing list archive.
All Balls (0.0.0.0) is the default route, always. That is exactly why I
would not run that setting permanently; I was merely using that setting
as a troubleshooting tool.

> ifconfig up
> bootproto none
> userctl no
>
> And that should work fine.
>
> Here's mine, for FreeBSD, and it works fine.
>
> bash-2.05b# grep ifconfig_xl0 /etc/rc.conf
> ifconfig_xl0="promisc up"
>
> bash-2.05b# ifconfig xl0
> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet6 fe80::260:97ff:fe74:28e7%xl0 prefixlen 64 scopeid 0x1
> ether 00:60:97:74:28:e7
> media: Ethernet autoselect (100baseTX)
> status: active
>
> PROMISC is obsoleted in RedHat, so you don't need to use that, but up
> should work just fine.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users