Snort mailing list archives
Re: Stealth sensor on SPAN port w/o tap
From: Bennett Todd <bet () rahul net>
Date: Wed, 13 Nov 2002 11:45:30 -0500
2002-11-11-09:20:48 Erek Adams:
- configure one instance of snort with multiple -i flag options.Option 2 wouldn't work as Snort only uses one -i flag. Option 3: Use a Linux kernel 2.1.x/2.2.x+ and use the "-i any" option [0]. Option 4: Use a *BSD and bonding to combine both physical interfaces into one logical one that you can sniff.
Option 5: Use a recent Linux with the bonding driver, included with a lot of Linuxes (e.g. recent Red Hats), and available separately from <URL:http://sf.net/projects/bonding/>. If you chase this one, set the promisc option on the bond0 driver when you ifconfig it up, that will propagate to the underlying eth drivers when you ifenslave them. promisc doesn't propagate down after enslaving. Also, when you ifenslave unnumbered interfaces, ifenslave whinges a lot, but it still works fine. -Bennett
Attachment:
_bin
Description:
Current thread:
- Stealth sensor on SPAN port w/o tap Robert MacKinnon (Nov 06)
- <Possible follow-ups>
- RE: Stealth sensor on SPAN port w/o tap Security Admin (Nov 06)
- Stealth sensor on SPAN port w/o tap Robert MacKinnon (Nov 10)
- Re: Stealth sensor on SPAN port w/o tap Erek Adams (Nov 11)
- Re: Stealth sensor on SPAN port w/o tap Bennett Todd (Nov 13)
- Re: Stealth sensor on SPAN port w/o tap Erek Adams (Nov 11)