RE: [Snort-users] Running snort in daemon mode disables network c onnection

From: Sadanapalli, Pradeep Kumar (MED, TCS) <Pradeep.Sadanapalli(at)med.ge.com>
Date: Fri Feb 28 2003 - 18:52:33 EST

I tried to run snort with -p option. Now my network interface is not running in promiscuous mode,
as I found it out by executing "dmesg|tail -10". But still I my network connection is getting disabled
immediately after running snort. I am not even able to ping to any other machine in LAN or
other machines are not able to connect to my machine.

Here is part of my snotd script I am running.

"
# Specify your network interface here
INTERFACE=eth1
LOGDIR=/var/log/snort/
CONFIGFILE=/etc/snort/snort.conf
SNORTBINARY=/usr/local/bin/snort

RETVAL=0 start() {

	echo -n $"Starting snort: "
	daemon $SNORTBINARY -p -A fast -b -l /var/log/snort -d -D -i
$INTERFACE -c $CONFIGFILE
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/snortd
	echo
        echo -n $"(log to " $LOGDIR " with configfile " $CONFIGFILE ")"
        echo

}
"

What else may be going wrong? Appreciate your help. Thanks in advance for all your help

Pradeep

-----Original Message-----
From: Erek Adams [mailto:erek@snort.org] Sent: Friday, February 28, 2003 5:23 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS) Cc: 'Erek Adams'; 'snort-users@lists.sourceforge.net' Subject: Re: [Snort-users] Running snort in daemon mode disables network connection

On Fri, 28 Feb 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> I am running snort-1.9.0 on my redhat linux 8.0 laptop. I am using my
box
> is connected in the LAN.
>
> I would like to run an Intrusion Detection System and Personal
Wirewall
> on the Linux box, which is just a workstation, not a server.
interface(
> whether they are internal to the LAN or external to the LAN) and
report
> it to a central server.

Easy enough.

> I am not using other network interface,eth0. It is just left
unconnected
> to any cable.

No problem. Forget about it.

> When I am running snort in daemon mode, I am losing my network
help
> me if I am doing something wrong.

It's not Daemon mode that is giving you grief--It's promiscuous mode that
is.

> What is this promiscuous mode?

To sort of quote "The Red Book" [0]....

'Ethernet is sort of like a "polite" dinner party. If you want to talk to
someone, you write the message on a bit of paper, fold it, and on the outside you write the name of the recipient. Everyone looks at the address, but not at what's inside.'

Promiscuous mode is different. You _read_ all the bits of paper no matter
who it is for.

Since you just want to look for scans and attacks that are headed to you,
you don't need promisc mode. You just want what's destined for your interface.... Hence, no need of promiscuous mode.

Simply start Snort with the "-p" flag and it should work fine.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

[0]
http://www.amazon.com/exec/obidos/tg/detail/-/0131510517/qid=1046473814/ sr=1-2/ref=sr_1_2/104-8282033-5068702?v=glance&s=books

(URL may wrap)

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 19:23:28 2003