Snort mailing list archives

Re: I can not see it

From: "Nick Oliver" <nwoliver () gmail com>
Date: Thu, 5 Oct 2006 12:39:12 -0500

Snort starts as a service - "service snort start or restart or stop" are the
options there.  In order to shift your sensor to eth1 you need to modify the
snort startup script in the /etc/init.d directory to change the default eth0
to eth1
nwo

On 10/5/06, Greta.Ji () sungard com <Greta.Ji () sungard com> wrote:



That is my another question. When I run "snort start", I got prompt:
        Starting snort service:

What should I enter? I know, there are lot of reading, but I just start.


Thank you,

--Greta

-----Original Message-----
From: Patrick S. Harper [mailto:patrick () internetsecurityguru com]
Sent: Thursday, October 05, 2006 12:54 PM
To: Ji, Greta; kisero () gmail com
Cc: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] I can not see it

You will need to change the interface in your init script then restart
snort


-----Original Message-----
From: snort-users-bounces () lists sourceforge net
[mailto:snort-users-bounces () lists sourceforge net] On Behalf Of
Greta.Ji () sungard com
Sent: Thursday, October 05, 2006 9:37 AM
To: kisero () gmail com
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] I can not see it

Esteban,

Thank you to answer my mail. I spent few hours, finally fixed the
problem.
When I use "tcpdump -i eth1", I can see the traffic send from switch.
I have another problem. Snort/BASE only capture eth0 traffic, which I
use for the monitor connection. I can not see traffic on eth1.

How can I sniff eth1 traffic to Snort? I checked the snort.conf, I did
not find anywhere for it.

Thank you for all of your help,

--Greta
________________________________

From: Esteban Ribicic [mailto:kisero () gmail com]
Sent: Thursday, October 05, 2006 10:12 AM
To: Ji, Greta
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] I can not see it


maybe u are confusing the nic u must sniff, try tcpdump -i any -n (under
linux)


On 10/3/06, Greta.Ji () sungard com <Greta.Ji () sungard com> wrote:

        Hi,

        I am a new user on this list. I have a simple problem, and hope
to
get a
        help. I just installed Snort 2.6 on Centos. I follow the
document to
bring
        eth1 up (eth0 has IP to connect to the Internal network).  But I
can
not
        see any traffic on eth1 (tcpdump -i eth1). I checked the switch,
I
can see
        traffice on the interface (# sh interface f0/8):

            monitor session 1 source interface Fa0/2
            monitor session 1 destination interface Fa0/8

             270471 packets output, 65224246 bytes, 0 underruns

        Did I missing anything at here? Could some one help me?

        Thank you,

        --Greta


------------------------------------------------------------------------
-
        Take Surveys. Earn Cash. Influence the Future of IT
        Join SourceForge.net 's Techsay panel and you'll get the chance
to
share your
        opinions on IT & business topics through brief surveys -- and
earn
cash

http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V

        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
list
archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users








-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--
Now at this last we must take a hard road, a road unforseen.
There lies our hope, if hope it be. To walk into peril to Mordor.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

I can not see it Greta.Ji (Oct 05)
- Re: I can not see it Eric Hines (Oct 05)
  - Re: I can not see it Greta.Ji (Oct 05)
- Snort rule setting Greta.Ji (Oct 05)
  - Re: Snort rule setting Eric Hines (Oct 05)
- Re: I can not see it Esteban Ribicic (Oct 18)
  - Re: I can not see it Greta.Ji (Oct 05)
    - Re: I can not see it Patrick S. Harper (Oct 05)
    - Re: I can not see it Greta.Ji (Oct 05)
    - Re: I can not see it Patrick S. Harper (Oct 05)
    - Re: I can not see it Nick Oliver (Oct 18)
- <Possible follow-ups>
- Re: I can not see it Michael Scheidell (Oct 06)