Topic: SME 5.6 Snort - Server only

[gbl]

I´m trying to configure SNORT with eth0 only.

---------------------------------------------
In snort.conf template I wrote

# Set up the external network addresses as well.
# A good start may be "any"
var EXTERNAL_NET any

#-- added for SME template --#
#var EXTERNAL_NET !$HOME_NET
#----#
---------------------------------------------
My Log says:

Mar 27 22:20:28 linux snort-mysql: Initializing Output Plugins!
Mar 27 22:20:28 linux modprobe: modprobe: Can't locate module eth1  <<<<<<<
Mar 27 22:20:28 linux modprobe: modprobe: Can't locate module eth1
Mar 27 22:20:28 linux snort-mysql: ioctl(SIOC*MTU):No such device
Mar 27 22:20:28 linux snort-mysql: Automagic MTU discovery failed. Using default 1500
Mar 27 22:20:28 linux snort-mysql: FATAL ERROR: ERROR: OpenPcap() device eth1 open:  ^Ibind: No such device
Mar 27 22:20:28 linux snortd: snort-mysql startup failed


Where are the .conf File that contains eth1???

[Cyrus Bharda]

I tryed, usuccessfully, to change snort to monitor ppp0 instead of eth0 but I tyred for a bit and looked around and came to the conclusion that you cannt change it, hopefully someone can prove me wrong?

Or maybe my problem was that snort could only monitor actual pysical devices? I dunno, got fed up, didnt get any responce from these forums so I just gave up


Cyrus Bharda

[JoeyP]

look at your  /etc/init.d/snortd
thats where you set the interface to monitor


======/etc/init.d/snortd=======
# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd /var/log/snort
        daemon /usr/sbin/snort -A fast -b -l /var/log/snort -d -D \
                 -i $INTERFACE -c /etc/snort/snort.conf
        touch /var/lock/subsys/snort
......................... .....

hth

JoeyP

[gbl]

Thanks.

I also found this script. If I configure it so as you described, SNORT starts successfully but:

1st) If I create a attack to my server like http:///cgi-bin?/etc/passwd my Server does never respond!

2nd) Snort does not log into MySQL! It create its own log in /var/log/snort ...