snort + promisc eth1 problems

Mikkel L. Ellertson mikkel at infinity-ltd.com
Mon Jul 16 19:27:36 UTC 2007 

Fabiano Petrone wrote:
> hello Everybody
> 
> I've installed a snort box (yum install snort & snort-mysql) on FC7 with
> 2 NICs:
> eth0 (192.168.0.50)
> eth1 (192.168.0.51) in promisc mode ***only*** dedicated to snort sinffing
> 
> all seems ok but still 2 problems persists:
> 
> 1)what's the better way for putting eth1 on promisc mode on startup?
> I've thought to edit /etc/sysconfig/networking/devices/ifcfg-eth1 adding
> the line:
> PROMISC=yes but it doesnt't go.
> "ifconfig eth1 promisc" is the only solution?
> 
From /usr/share/doc/initscripts-8.45.7/sysconfig.txt

    No longer supported:
     PROMISC=yes|no (enable or disable promiscuous mode)
     ALLMULTI=yes|no (enable or disable all-multicast mode)

     To properly set these, use the packet socket interface.

> 2)I've modified /etc/rc.d/init.d/snortd adapting it to the snort-mysql
> binary:
> 
> #!/bin/sh
> #
> # snortd         Start/Stop the snort IDS daemon.
> #
> # chkconfig: 2345 40 60
> # description:  snort is a lightweight network intrusion detection tool
> that
<----------------------------[ snip ]----------------->
> 
> pratically I've substituted "snort-mysql" with "snort" and deleted the "
> -A fast" option.
> This script is launched without problem at the FC7 very startup (as I
> can see from the console)
> but after the login, "service snortd status" replies "snort-mysql is
> stopped".
> everyway, "service snortd start" goes OK without problem..
> 
> 
> thanks a lot in advance for your help,
> 
> fabianope
> 
Are you starting snort or snort-mysql as it says in the script? If
you are using snort-mysql then you are going to want to change the
start order so that snort-mysql starts after mysql.

# chkconfig: 2345 40 60
to
# chkconfig: 2345 64 35

because mysql uses:
# chkconfig: - 64 36

You probably have an error message in the logs about the mysql
server not running or that snort could not connect to it.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070716/68c96116/attachment-0001.sig>

More information about the fedora-list mailing list