Reputation: 11
How do I change the interface snort monitors by default?
To start, I am entirely new to Linux and am doing this as part of my final year project at university, I have never used linux before a few weeks ago and I have been hitting roadblock after roadblock trying to get snort installed and working for 6-7 weeks now (1-4 hours a week) among my other modules.
I have a virtual machine running Ubuntu latest release. the VM has 2 network interfaces, one is for access to the internet and the other going to be used to feed pcap files into with tcpreplay, this is named intnet in VM settings, and enp0s8 in Linux. I used the command lines sudo apt install -y snort and snort -v -c /etc/snort/snort.conf which I found Here and Here respectively. I used the first link after resetting my VM for the 3rd time and could not get snort to find LUAJit. after this I ran wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz and finally tar -xvzf community.tar.gz -C /etc/snort/rules from the snort website, found Here under Step 3. note I had to change the last command to tar -xvzf community-rules.tar.gz -C /etc/snort/rules to get it to work, not sure if this is a mistake on the website or on my end.
When i run snort using snort -v , to run in verbose mode, there are no errors or warnings, but when I use snort -i enp0s8 for the specific network I want to use I get a warning that is something about no pre-processors for policy 0. This is an error I had a lot while trying to install snort at all let alone work with it. I have also noticed that there is a test using snort -t (possibly uppercase T, can't remember), I get an error regarding not using a rules file, but then when I use the snort -c to specify community-rules I can't seem to get it to accept the rules file although this is just because I'm assuming test is a general test of the program, might be wrong about that.
This is beginning to really stress me out, to the point of making this account just to see if anyone can help.
any help is much appreciated, it is almost midnight I will be back on tomorrow morning so sorry if I don't reply for a while
tl;dr snort monitoring wrong interface,, using -i gives pre-processor warning, -t says no rules file and -c will not recognise rules file
Upvotes: 0
Views: 1361
Answers (0)
Related Questions
- Snort pcap_inject not located
- How to Use Snort to detect NMAP default SYN scan?
- How to monitor packets using Snort features?
- How to capture traffic from multiple interfaces using pcap
- Snort - Error while running
- SNORT list interfaces on Linux Ubuntu
- Snort log file output format
- Register pcap handler on monitor mode
- Read the alert log from snort
- Snort: Reporting packet numbers