I was proficient with working on Snort on my eth0 connection during my previous Ubuntu installation. Later, I changed to Fedora, and eth0 was replaced with eno1. And the other change – I started using a direct DSL line, which used the ppp connection.
Now while doing ifconfig for the DSL connection, I get the interface as ppp0 instead of eno1.
The limitation with Snort is that it will consider only the ether packets, ignoring the ppp0 connection. Even when I am using the ppp0/DSL connection through my Ethernet port, the connection is not through eno1.
If you try starting the Snort instance with the command
# snort -c /etc/snort/snort.conf -l /var/log/snort/
it will give the following error:
ERROR: Cannot decode data link type 113 Fatal Error, Quitting..
If you try looking for the error, you will get a variety of solutions. If your snort version is 18.104.22.168, none of them are going to work for you. The reason is – they have stopped supporting the –enable-non-ether-decoders.
If you put that argument with your command for igniting Snort, you will be provided with a list of available arguments, but –enable-non-ether-decoders will not be allowed. I was furiously looking for a solution regarding this problem. After going through some forums, it came to my mind to try a walk-through.
The easiest option available was to make Snort work with the ppp0 connection (which is plugged in to eno1) work with eno1. You have to try giving the command with an additional argument, which is -i eno1:
# snort -D -i eno1 -c /etc/snort/snort.conf -l /var/log/snort/
This will start the Snort Daemon on the eno1 interface, capturing all the packets and dumping them to your desired location. The logs will be located in files named snort.log.xxxx. For every instance there will be a new log file, which has the packets logged in Binary PCAP format to be readable by Wireshark, Snort, or other similar applications.
If you try to read these logs with some text reader/editor, it will be like reading the Webdings fonts. Don’t do that. Snort has a better reader, also called Snort -r.
Give the command:
# snort -r snort.log.1405955899
This will give you a nice analysis of the packets with all the logs available to you. You can also export the readable content to a .txt file by the normal methods.
Choose the rules very wisely which you are applying for Snort. As this was for a test environment, I implemented all the available rules to the scenario; and that gave me 5 MB of logs when I ran Snort for just 25 seconds. You need to cut that down, Roger!
Parsing and getting the required information from these logs is one more task. Have you tried Splunk, lately? Here: http://apps.splunk.com/app/340/
TL;DR list your interface as eno1 even if you are using a ppp0 connection