Snort mailing list archives
Re: Using snort sensors.
From: Chris Baker <extremis () exploit org>
Date: Sun, 13 Oct 2002 20:59:47 -0700
On Sun, Oct 13, 2002 at 11:05:15PM -0400, Sujit Pal wrote:
Delivered-To: extremis () exploit org From: "Sujit Pal" <sujit.pal () verizon net> To: "Snort E-mail List" <snort-users () lists sourceforge net> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: [Snort-users] Using snort sensors. Errors-To: snort-users-admin () lists sourceforge net X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.9-sf.net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help> List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchives/forum.php?forum=snort-users> X-Original-Date: Sun, 13 Oct 2002 23:05:15 -0400 Date: Sun, 13 Oct 2002 23:05:15 -0400 X-Spam-Status: No, hits=1.8 required=5.0 tests=KNOWN_MAILING_LIST,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_01_02, USER_AGENT_OUTLOOK,X_OSIRU_DUL,X_OSIRU_DUL_FH version=2.42 X-Spam-Level: * Hello! I had configured a Linux system to be used as the snort sensor. This was done as per the install recommendation shown in Snort Installation Manual by Steven J Scott. I ahve two NIC in this system. eth0 and eth1. I configuer eth0 with an IP address etc. eth1 was left alone as suggested.
Snort will bring the interface up in promisc mode. You can verify this by issuing 'ifconfig eth1' after snort has been started.
I understood that the eth1 was to be used as the probe NIC and it should be run on promiscous mode. However if I start snort with the eth1 nic card it starts snort but do not log any data into the database. The same works when used with the eth0 NIC. Is my assumption that the eth1 was to be used as probe wrong. Why was it suggested to have a second NIC if not used. How can I put a NIC in promiscous mode and how to check that it is promiscous mode. I tried using ifconfig eth1 -promisc up. I do not think that worked. Regards. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Chris Baker, GCIA -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT/O d-(+) s++:++ a-- C++++@ UBS++++> P+ !L(L+) E--- W+ N+ o+ K- w O- M V- PS PE Y+ PGP++> t+ 5 X+ R tv b++ DI> D++ G+ e+> h-- r+++ y+++ ------END GEEK CODE BLOCK------ Fingerprint = E9 95 6F 2E 44 E3 37 15 D5 1F 37 8B AB 89 02 AA 65 50 42 F8
Attachment:
_bin
Description:
Current thread:
- Using snort sensors. Sujit Pal (Oct 13)
- Re: Using snort sensors. Chris Baker (Oct 13)
- Re: Using snort sensors. Erek Adams (Oct 14)
- <Possible follow-ups>
- Re: Using snort sensors. Pedro Tedeschi (Oct 14)