Snort not capturing traffic

Posted on 2006-04-09
Last Modified: 2010-03-18
Im new to snort and trying to make it work in our existing network. The snort box is setup with two NIC cards,
one is connected in the internal network (e0, promiscous mode disable) for management and the other connected on the outside of the PIX firewall (e1, promiscous mode) to sniff all the packets coming in and out of the PIX. My intefaces configuration is as follows:

For E0:


For E1:


When I do snort -c /etc/snort/snort.conf -v  I do not see any traffic on e1.  The only time you see traffic scrolling on the terminal is when you direct traffic to the snort box, that is when i connect to the management console ACID I see traffic on the terminal. Other than that, nothing.

eth0      Link encap:Ethernet  HWaddr 00:50:8B:F3:75:89  
          inet addr:  Bcast:  Mask:
          RX packets:675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:39242 (38.3 Kb)  TX bytes:41825 (40.8 Kb)
          Interrupt:11 Base address:0x2800 Memory:c6ffb000-c6ffb038

eth1      Link encap:Ethernet  HWaddr 00:50:8B:AC:91:55  
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:15 Base address:0x3000 Memory:c4fff000-c4fff038

What am I missing? Any ideas is appreciated.
Question by:stressedout2004

    Expert Comment

    My first thought would be to check what you are connecting to.  If it's a hub, it's easy to sniff. If it's a switch, you will likely not have an easy time of it, as the traffic for others will never come to you.  From your comments, it appears you see your self-directed traffic just fine, so I will assume you want to see the network as a whole.  The configuration of your network could also impede you being able to sniff anything either, but that you'd have to talk to your nw security guys about.  

    LVL 9

    Author Comment

    Thanks schnook9. Currently, I have the PIX outside interface, my dsl connection and the snort sniffing interface all connected to a hub. I wanted to sniff all traffic coming in and out of the firewall. So from the configuration standpoint of the snort interfaces itself, it all looks ok?

    LVL 1

    Accepted Solution

    I assume this is a linux install. Do you have libpcap installed?  If you watch the console or look through the logfile does it actually shown a statment such as "Promiscuous mode enabled on eth1".

    You may also want to just try something simple like tcpdump to see if it works any better

    Try "tcpdump -i eth1"

    That should give you alot of output if there is any traffic on eth1 (including your own connection if you are using it to connect to the box).  If tcpdump works then we can safely say that it is something to do with the snort install that is causing your problem.

    LVL 9

    Author Comment

    ill try that out sorry to get back so late.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now