Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Newbies » Snort running in NIDS mode, but only alerting for localhost

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort running in NIDS mode, but only alerting for localhost


Posted by geekgerl on March 11, 2005 05:38:04

Hello,

I'm running Snort on a linux server with two ethernet interfaces. I have snort sniffing on eth1, a stealth interface (no ip address) which connects to a SPAN port on my backbone switch. When I run a tcpdump on eth1, I'm showing all backbone traffic reported and so I know that the SPAN configuration is correct. The other interface (eth0) has an ip address, and is behind a firewall. That is how I access the server remotely.

The issue is that Snort is only alerting for attacks destined for the host it's running on, 192.168.1.3. For example, when I send Code Red traffic to 192.168.1.3 I get an alert. I know that the traffic is getting picked up by eth1 because the firewall blocks port 80 traffic to the host. When I send Code Red traffic to other hosts on my network, no alerts are generated.

My startup options:

snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf

Excerpt from my snort.conf:

var HOME_NET [192.168.1.0/24,192.168.2.0/24]
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET


I know that I must be missing something, but I'm not sure what.

Thanks in advance for any assistance!

-Laura

Posted by roesch on March 11, 2005 18:39:34

Hi Laura,

Have you tried running Snort in sniffer mode on eth1 to make sure you're seeing packets to more than just the local machine. If you're only seeing stuff for the local IP is almost sounds like your SPAN isn't working right. Check that you can sniff traffic outside the localhost first (snort -dvi eth1) and let us know what happens.

-Marty

Posted by geekgerl on March 13, 2005 09:01:57

For some reason, eth1 left promiscuous mode. DOH! So even though tcpdump was showing the packets received by the interface, they were never making it to my ip stack (and therefore never processed by Snort). All is good now - I'm implementing a cron script to check the interface hourly and re-enable promiscuous mode in case this happens again.

Thanks!

-Laura
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.