Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Support » Snort not recognizing my NIC

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort not recognizing my NIC


Posted by jhyiesla on March 10, 2005 02:58:43

I'm trying to install Snort as a host-based IDS. I'm primarily interested in monitoring activity that takes place on that particular PC. I have successfully set it up in command-line mode and I have also used the IDS Center product. Snort starts up and loads the rules just fine, but never gets any data. It looks like Snort is not recognizing my NIC and so doesn't see any traffic. In IDS Center, the inerfaces are listed as ????. This appears to vary from computer to computer. On some, with the same settigns, it recognizes the NIC just fine and I get data. However, of course, on the ones that I want it to work on it will not see the interface. Why is this happening?

Thanx...Jon

Posted by jplanier on March 10, 2005 08:55:07

I am very new to Snort but I ran into a problem which sounds like yours. I use Snort 2.3.0 with MySQL 4.1.8 on XP.

To identify your pc interface, run 'snort -W' from the command line. My ethernet interface was #2. Before I included '-i2' on the snort command line, I also got no packet logging. I tested this by inserting into the local.rules file the following: 'alert tcp any any -> any any (msg:"TCP traffic";)'

This logs all TCP traffic. Clicking on three web pages in two minutes produced
184 entries to the MySQL event table and to the alert.ids logfile.

By the way, I could not make IDScenter work with my Snort-MySQL setup. When I started Snort from IDScenter, I got an error: no host IP netmask. The snort.conf file was also rewritten, maybe to an earlier Snort format.

After removing IDScenter and rolling back snort.conf, Snort was once again happily feeding at the trough.

Good luck!

Posted by jhyiesla on March 10, 2005 09:42:52

Thanx...that worked. I had actually finally found it by running the command line and scolling back to the point where I saw the Interface command. This PC has a firewire port on it that the system thinks is a network adapter and that was what it was fixating on. So, I actually went to the registry and found the key for my real card and substituted the CLSID # for that card in the command line as -1 \device\NPF_{xxx}. This works. I did the -W as you suggested and can see the NICS and I do have an interface #. Anyway, I substituted the # for the CLSID entry and that works as well...

And I agree about the IDS Center. The GUI is great for configing things, but it seems very flakey when it comes to implementation. I could never get Snort to run from IDS Center because it would not pickup the NIC. Then even when I ran it by hand, it had messsed with the rules and/or .conf file in some way that kept Snort from running right. Anyway, I did as you and reloaded Snort and configured the .conf file by hand and it's working well. I just need to tweak the rules now.

Thanx again...Jon
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.