Snort not capturing traffic

Im new to snort and trying to make it work in our existing network. The snort box is setup with two NIC cards,
one is connected in the internal network (e0, promiscous mode disable) for management and the other connected on the outside of the PIX firewall (e1, promiscous mode) to sniff all the packets coming in and out of the PIX. My intefaces configuration is as follows:

For E0:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
PROMISC=no
IPADDR=192.168.0.144
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
GATEWAY=192.168.0.1
TYPE=Ethernet
NETWORK=192.168.0.0
BROADCAST=192.168.0.255

For E1:

DEVICE=eth1
PROMISC=yes
ONBOOT=yes


When I do snort -c /etc/snort/snort.conf -v  I do not see any traffic on e1.  The only time you see traffic scrolling on the terminal is when you direct traffic to the snort box, that is when i connect to the management console ACID I see traffic on the terminal. Other than that, nothing.

eth0      Link encap:Ethernet  HWaddr 00:50:8B:F3:75:89  
          inet addr:192.168.0.144  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:39242 (38.3 Kb)  TX bytes:41825 (40.8 Kb)
          Interrupt:11 Base address:0x2800 Memory:c6ffb000-c6ffb038

eth1      Link encap:Ethernet  HWaddr 00:50:8B:AC:91:55  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:15 Base address:0x3000 Memory:c4fff000-c4fff038


What am I missing? Any ideas is appreciated.
LVL 9
stressedout2004Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

schnook9Commented:
My first thought would be to check what you are connecting to.  If it's a hub, it's easy to sniff. If it's a switch, you will likely not have an easy time of it, as the traffic for others will never come to you.  From your comments, it appears you see your self-directed traffic just fine, so I will assume you want to see the network as a whole.  The configuration of your network could also impede you being able to sniff anything either, but that you'd have to talk to your nw security guys about.  

HTH
0
stressedout2004Author Commented:
Thanks schnook9. Currently, I have the PIX outside interface, my dsl connection and the snort sniffing interface all connected to a hub. I wanted to sniff all traffic coming in and out of the firewall. So from the configuration standpoint of the snort interfaces itself, it all looks ok?

0
whatboxCommented:
I assume this is a linux install. Do you have libpcap installed?  If you watch the console or look through the logfile does it actually shown a statment such as "Promiscuous mode enabled on eth1".

You may also want to just try something simple like tcpdump to see if it works any better

Try "tcpdump -i eth1"

That should give you alot of output if there is any traffic on eth1 (including your own connection if you are using it to connect to the box).  If tcpdump works then we can safely say that it is something to do with the snort install that is causing your problem.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stressedout2004Author Commented:
ill try that out sorry to get back so late.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.