Snort mailing list archives
Snort Doesn't Set Second NIC Promiscuous
From: Ken Schweigert <ken () byte-productions com>
Date: Mon, 15 Jul 2002 14:22:53 -0400
I've been happily running Snort-1.8.6 on OpenBSD-3.0 and watching one subnet. I wanted to start watching another subnet so I put another NIC in the box, gave it an IP in that subnet, copied my snort.conf and changed the HOME_NET, and started it. Everything running great, or so I had thought. After a few days I noticed the only thing snort alerted on, on the new subnet, was only requests to it's IP. A little digging showed that the second NIC wasn't in promiscuous mode. I must admit that I'm still new to OpenBSD, but not too new to Unix (4 or 5 years with Linux) and the only way I've been able to get it into promisc is by using tcpdump. Any ideas on how to get this second NIC to snort? Thanks. -- -Ken Schweigert, Padawan Network Administrator Byte Productions, LLC http://www.byte-productions.com --------------------------------------------------------------------- bash-2.05# ifconfig -A fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 media: Ethernet autoselect (100baseTX full-duplex) status: active inet xx.xx.xx.62 netmask 0xffffffe0 broadcast xx.xx.xx.63 fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 media: Ethernet autoselect (100baseTX full-duplex) status: active inet yy.yy.yy.93 netmask 0xffffffe0 broadcast yy.yy.yy.95 bash-2.05# /usr/local/bin/snort -V -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) bash-2.05# ps ax | grep snort PID TT STAT TIME COMMAND 24520 ?? Ss 4:11.44 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp1 -A full -D 4919 ?? Ss 4:21.06 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp0 -A full -D bash-2.05# diff snort.conf.fxp0 snort.conf.fxp1 50c50 < var HOME_NET [xx.xx.xx.32/27] ---
var HOME_NET [yy.yy.yy.64/27]
bash-2.05# ifconfig fxp1 promisc ifconfig: promisc: bad value bash-2.05# ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Doesn't Set Second NIC Promiscuous Ken Schweigert (Jul 15)
- Re: Snort Doesn't Set Second NIC Promiscuous DataShark (Jul 15)
- Re: Snort Doesn't Set Second NIC Promiscuous Ken Schweigert (Jul 15)
- Re: Snort Doesn't Set Second NIC Promiscuous Stefan Schleifer (Jul 16)
- Re: Snort Doesn't Set Second NIC Promiscuous Erek Adams (Jul 16)
- Re: Snort Doesn't Set Second NIC Promiscuous Ken Schweigert (Jul 15)
- Re: Snort Doesn't Set Second NIC Promiscuous DataShark (Jul 15)
- <Possible follow-ups>
- RE: Snort Doesn't Set Second NIC Promiscuous McCammon, Keith (Jul 16)