Snort mailing list archives
RE: Configuration issue, Part II
From: "John Berkers" <berjo () ozemail com au>
Date: Tue, 25 Sep 2001 22:47:11 +1000
I believe that this particular issue only applies to PPP interfaces. Ethernet sniffing works quite fine from behind an ipchains firewall. That's exactly the way I have a couple of sensors configured, and I get traffic on a completely blocked interface. It is a tad confusing when different interface types exhibit different behaviour with respect to promiscuity. Promiscuity doesn't really apply in the case of PPP since by definition only traffic intended to go over a PPP link will arrive at a PPP interface. Now where's that coffee.... regards, John Berkers I try to take life one day a at a time, but sometimes several days attack me at once. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: Monday, 24 September 2001 23:34 To: Greg Sarsons Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Configuration issue, Part II On Mon, 24 Sep 2001, Greg Sarsons wrote:
Okay I've got snort running collecting a big binary dump file and not doing anything else but it is on a machine running iptables (the dump file will be looked at latter on another machine). So is it the case that much of the traffic will be killed by iptables even if snort is running in promiscuous mode?
Yes.
Does that mean that I have to take down my iptables firewall to collect everything?
Yes. To make it simpler, put snort on a box by itself. Set it outside your firewall with a recieve only cable and no IP on the interface. All will be good. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Configuration issue, Part II, (continued)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)