Fabiano Petrone wrote:
> hello Everybody
>
> I've installed a snort box (yum install snort & snort-mysql) on FC7 with
> 2 NICs:
> eth0 (192.168.0.50)
> eth1 (192.168.0.51) in promisc mode ***only*** dedicated to snort sinffing
>
> all seems ok but still 2 problems persists:
>
> 1)what's the better way for putting eth1 on promisc mode on startup?
> I've thought to edit /etc/sysconfig/networking/devices/ifcfg-eth1 adding
> the line:
> PROMISC=yes but it doesnt't go.
> "ifconfig eth1 promisc" is the only solution?
>
From /usr/share/doc/initscripts-8.45.7/sysconfig.txt
No longer supported:
PROMISC=yes|no (enable or disable promiscuous mode)
ALLMULTI=yes|no (enable or disable all-multicast mode)
To properly set these, use the packet socket interface.
> 2)I've modified /etc/rc.d/init.d/snortd adapting it to the snort-mysql
> binary:
>
> #!/bin/sh
> #
> # snortd Start/Stop the snort IDS daemon.
> #
> # chkconfig: 2345 40 60
> # description: snort is a lightweight network intrusion detection tool
> that
<----------------------------[ snip ]----------------->
>
> pratically I've substituted "snort-mysql" with "snort" and deleted the "
> -A fast" option.
> This script is launched without problem at the FC7 very startup (as I
> can see from the console)
> but after the login, "service snortd status" replies "snort-mysql is
> stopped".
> everyway, "service snortd start" goes OK without problem..
>
>
> thanks a lot in advance for your help,
>
> fabianope
>
Are you starting snort or snort-mysql as it says in the script? If
you are using snort-mysql then you are going to want to change the
start order so that snort-mysql starts after mysql.
# chkconfig: 2345 40 60
to
# chkconfig: 2345 64 35
because mysql uses:
# chkconfig: - 64 36
You probably have an error message in the logs about the mysql
server not running or that snort could not connect to it.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature
