Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

Snort not capturing traffic

Im new to snort and trying to make it work in our existing network. The snort box is setup with two NIC cards,
one is connected in the internal network (e0, promiscous mode disable) for management and the other connected on the outside of the PIX firewall (e1, promiscous mode) to sniff all the packets coming in and out of the PIX. My intefaces configuration is as follows:

For E0:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
PROMISC=no
IPADDR=192.168.0.144
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
GATEWAY=192.168.0.1
TYPE=Ethernet
NETWORK=192.168.0.0
BROADCAST=192.168.0.255

For E1:

DEVICE=eth1
PROMISC=yes
ONBOOT=yes


When I do snort -c /etc/snort/snort.conf -v  I do not see any traffic on e1.  The only time you see traffic scrolling on the terminal is when you direct traffic to the snort box, that is when i connect to the management console ACID I see traffic on the terminal. Other than that, nothing.

eth0      Link encap:Ethernet  HWaddr 00:50:8B:F3:75:89  
          inet addr:192.168.0.144  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:39242 (38.3 Kb)  TX bytes:41825 (40.8 Kb)
          Interrupt:11 Base address:0x2800 Memory:c6ffb000-c6ffb038

eth1      Link encap:Ethernet  HWaddr 00:50:8B:AC:91:55  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:15 Base address:0x3000 Memory:c4fff000-c4fff038


What am I missing? Any ideas is appreciated.
0
stressedout2004
Asked:
stressedout2004
  • 2
1 Solution
 
schnook9Commented:
My first thought would be to check what you are connecting to.  If it's a hub, it's easy to sniff. If it's a switch, you will likely not have an easy time of it, as the traffic for others will never come to you.  From your comments, it appears you see your self-directed traffic just fine, so I will assume you want to see the network as a whole.  The configuration of your network could also impede you being able to sniff anything either, but that you'd have to talk to your nw security guys about.  

HTH
0
 
stressedout2004Author Commented:
Thanks schnook9. Currently, I have the PIX outside interface, my dsl connection and the snort sniffing interface all connected to a hub. I wanted to sniff all traffic coming in and out of the firewall. So from the configuration standpoint of the snort interfaces itself, it all looks ok?

0
 
whatboxCommented:
I assume this is a linux install. Do you have libpcap installed?  If you watch the console or look through the logfile does it actually shown a statment such as "Promiscuous mode enabled on eth1".

You may also want to just try something simple like tcpdump to see if it works any better

Try "tcpdump -i eth1"

That should give you alot of output if there is any traffic on eth1 (including your own connection if you are using it to connect to the box).  If tcpdump works then we can safely say that it is something to do with the snort install that is causing your problem.


0
 
stressedout2004Author Commented:
ill try that out sorry to get back so late.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now