RE: Snort on Linux Help

[Erek Adams <erek () theadamsfamily net>]

On Mon, 26 Nov 2001, David Wilkeson wrote:

> Nope.  However, when I type "ifconfig eth0 promisc" it goes into
> promiscuous mode, but it doesn't change the output of ethereal or
> snort.  So to recap, the syslog indicates the interface entering and
> leaving promiscuous mode, but ifconfig does not report it in promiscuous
> mode unless I manually put it into promiscuous mode.

Fine.  It's not like an OS to ever 'be mistaken' about something...  ;-)

The big question is this:  Are you _sure_ you're on a device that you can see
all traffic on?  IOW, is that hub/switch _really_ a hub or not?

http://www.snort.org/docs/faq.html#6.21

Also, is it physically attatched to the net so that it could see all packets?
Are you trying to hit it from the outside?  Or are you trying another machine?

> Redhat, loaded by Dell.

*sigh*  Ummmm....  Look, it's a UFO!

Ditch the RPM's.  Remove libpcap and snort RPMs if used.  Install the newest
versions of libpcap (0.6.2) and snort (1.8.2/3) from the sources.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users