snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Problem with the '-i' option

Re: [Snort-users] Problem with the '-i' option

From: Alex Tatistcheff <alex.tatistcheff_at_nospam>
Date: Wed Nov 04 2009 - 15:57:22 GMT
To: Eric S <ericseligman@hotmail.com>


To check and see if it's a problem with your bridge setup try using tcpdump and see if you get the same results, i.e. tcpdump -i br1 -vXs0

Alex Tatistcheff
alext@pobox.com

  • When a convicted terrorist was sentenced to face Jack Bauer, he appealed to have the sentence reduced to death.

On Mon, Nov 2, 2009 at 2:17 AM, Eric S <ericseligman@hotmail.com> wrote:

> Hello everyone,
>
> I am having a bit of a problem getting Snort to run on different interfaces
> on Linux. I have a bridge setup (br0) that is bridged with eth1 (my primary
> physical interface connected to the network). I also have another bridge
> (br1) that connects a number of other virtual interfaces (mostly for VM's),
> such as vif1, vif2, etc. My issue is when I issue a command such as:
>
> snort -i br1 -dev
>
> All I see is traffic from br0. This occurs with every other interface on my
> system. No errors are generated, however when snort is initialized (no
> matter the interface specified, even if its jiberish) I see this
> information:
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> ***
> *** interface device lookup found: br0
> ***
> Initializing Network Interface br0
> Decoding Ethernet on interface br0
>
>
> So it seems to me that snort is ignoring my '-i' switch, and just using the
> first active interface, which would be br0. It would appear that there may
> be an issue with the interface detection script, in that it is only see
> "br0" as active. However, this certainly seems like a bug because A.)
> Network traffic flows as excepted from each of the interfaces, and B.)
> tcpdump -i works perfectly on all the interfaces.
>
> So the question is, does anyone have an idea as to what is going wrong, or
> what I can do to remidy this issue? I've searched for hours on this issue
> and havent found much, so any help would be appreciated.
>
> Thanks,
>
> Eric
>
> ------------------------------
> New Windows 7: Find the right PC for you. Learn more.<http://www.microsoft.com/windows/pc-scout/default.aspx?CBID=wl&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_pcscout:112009>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users