Hosting Provided By

[Snort-users] Running snort in daemon mode disables network connection

From: Sadanapalli, Pradeep Kumar (MED, TCS) <Pradeep.Sadanapalli(at)med.ge.com>
Date: Fri Feb 28 2003 - 16:52:16 EST

Thanks Adams,
Here is what I am trying to do.

I am running snort-1.9.0 on my redhat linux 8.0 laptop. I am using my wireless
network card interface to connect to the network. My linux box is connected in
the LAN.

I would like to run an Intrusion Detection System and Personal Wirewall on the
Linux box, which is just a workstation, not a server.

I want to detect whatever port scans take place on my network interface( whether
they are internal to the LAN or external to the LAN) and report it to a central
server.

I am not using other network interface,eth0. It is just left unconnected to any cable.

When I am running snort in daemon mode, I am losing my network connection. I am not able to connect
to any box in the LAN. Please help me if I am doing something wrong.

What is this promiscuous mode? To run snort, is it necessary that my network card
interface should be in promiscuous mode? Why, running snort , disables my network connection?

Hope I am clear.

Do you need help?

Thanks in advance for all your help

Pradeep

-----Original Message-----
From: Erek Adams [mailto:erek@snort.org] Sent: Friday, February 28, 2003 2:57 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS) Cc: 'Joe Giles'; 'snort-users@lists.sourceforge.net' Subject: RE: [Snort-users] Unable to receive alerts

On Fri, 28 Feb 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Thanks Joe.
network
> connection.
>
> Why my network connection is getting disabled when I run the snortd
> script?
> Am I doing something wrong?

Well, If your wireless card works like mine does, when you enter promisc mode, it can't associate with the AP anymore, since it's listening on 'all
channels'. Try starting Snort with the "-p" option.

Cheers!

Erek Adams

"When things get weird, the weird turn pro." H.S. Thompson

Do you need more help?

>
> -----Original Message-----
not
> defining any report output to anything. All the output options are
latitude
> > C610.
hosts.
> > No
> > # arguments loads the default configuration of the preprocessor,
which
> > is a

#----------------------------------------------------------------------

> > # Use in concert with the -z [all|est] command line switch to defeat

> > # stick/snot against TCP rules. Also performs full TCP stream
statefully
> > # detect various portscan types, fingerprinting, ECN, etc.
generate
> > alerts
ip
> > stack
> > # implementations out there
> > #
> > # disable_evasion_alerts - disable fragroute alerting. Useful for
> > # machines with odd retransmission
> patterns
> > #
> > # keepstats [machine|binary] - keep session statistics, add
> "machine"
> > to
> > # get them in a flat format for machine
> reading,
> > add
> > # "binary" to get them in a unified binary
> > output
> > # format
> > # noinspect - turn off stateful inspection only
> > # timeout [number] - set the session timeout counter to [number]
> > seconds,
> > # default is 30 seconds
> > # memcap [number] - limit stream4 memory usage to [number] bytes
> > # log_flushed_streams - if an event is detected on a stream this
> > option will
> > # cause all packets that are stored in the
> > stream4
> > # packet buffers to be flushed to disk.
This
> > only
50000
> > #
> > # put a list of the networks you are interested in Spade observing
> > packets
make
> > use
of
> > hosts on # the same layer 2 segment as you. Specify one host IP MAC
> > combo per line.
> > # Also takes a "-unicast" option to turn on unicast ARP request
> > detection.
configuring
> > # and using this plugin.
> > #
> > # output database: log, mysql, user=root password=test dbname=db
> > host=localhost
> > # output database: alert, postgresql, user=snort dbname=snort
> > # output database: log, unixodbc, user=snort dbname=snort
> > # output database: log, mssql, dbname=snort user=snort password=test
> >
> > # xml: xml logging
> > # ----------------
appended)
> > # limit - maximum size of spool file in MB (default: 128)
> > #
> > # output alert_unified: filename snort.alert, limit 128
> > # output log_unified: filename snort.log, limit 128
> >
> >
> > # trap_snmp: SNMP alerting for Snort
> > # -------------------------------------------------------------
using
> > this
authPriv
> > -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword
myTrapListener
> > #For SNMPv3 informs with authentication and encryption
> > #output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l
> authPriv
myTrapListener
> >
> > # You can optionally define new rule types and associate one or
> > # more output plugins specifically to that type.
> > #
> > # This example will create a type that will log to just tcpdump.
> > # ruletype suspicious
> > # {
being
> > LEET"; \
> > # flags:A+;)
> >
> > #
> > # Include classification & priority settings
> > #
> >
> > include classification.config
> >
> >
> > ####################################################################
> > # Step #4: Customize your rule set
> > #
> > # Up to date snort rules are available at http://www.snort.org
> > #
> > # The snort web site has documentation about how to write your own
> > # custom snort rules.
> > #
> > # The rules included with this distribution generate alerts based on
> > # on suspicious activity. Depending on your network environment,
your
> > # security policies, and what you consider to be suspicious, some of
> > # these rules may either generate false positives ore may be
detecting
> > # activity you consider to be acceptable; therefore, you are
> > # encouraged to comment out rules that are not applicable in your
> > # environment.
> > #
> > # Note that using all of the rules at the same time may lead to
> > # serious packet loss on slower machines. YMMV, use with caution,
> > # standard disclaimers apply. :)
> > #
> > # The following individuals contributed many of rules in this
> > # distribution.
> > #
> > # Credits:
> > # Ron Gula <rgula@securitywizards.com> of Network Security Wizards
> > # Max Vision <vision@whitehats.com>
> > # Martin Markgraf <martin@mail.du.gtn.com>
> > # Fyodor Yarochkin <fygrave@tigerteam.net>
> > # Nick Rogness <nick@rapidnet.com>
> > # Jim Forster <jforster@rapidnet.com>
> > # Scott McIntyre <scott@whoi.edu>
> > # Tom Vandepoel <Tom.Vandepoel@ubizen.com>
> > # Brian Caswell <bmc@snort.org>
> > # Zeno <admin@cgisecurity.com>
> > # Ryan Russell <ryan@securityfocus.com>
> > #
> > #=========================================
> > # Include all relevant rulesets here
> > #
> > # shellcode, policy, info, backdoor, and virus rulesets are
> > # disabled by default. These require tuning and maintance.
> > # Please read the included specific file for more information.
> > #=========================================

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 16:59:36 2003

This message: [ Message body ]
Next message: Clayton Mascarenhas: "[Snort-users] scan file"
Previous message: Joe Giles: "RE: [Snort-users] Unable to receive alerts"
In reply to Sadanapalli, Pradeep Kumar (MED, TCS): "RE: [Snort-users] Unable to receive alerts"
Next in thread: Erek Adams: "Re: [Snort-users] Running snort in daemon mode disables network connection"
Reply: Erek Adams: "Re: [Snort-users] Running snort in daemon mode disables network connection"
Reply: Erek Adams: "Re: [Snort-users] Running snort in daemon mode disables network connection"
Reply: Sadanapalli, Pradeep Kumar (MED, TCS): "RE: [Snort-users] Running snort in daemon mode disables network c onnection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:11:46 EDT