Re: Using snort sensors.

[Chris Baker <extremis () exploit org>]

On Sun, Oct 13, 2002 at 11:05:15PM -0400, Sujit Pal wrote:
> Delivered-To: extremis () exploit org
> From: "Sujit Pal" <sujit.pal () verizon net>
> To: "Snort E-mail List" <snort-users () lists sourceforge net>
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Subject: [Snort-users] Using snort sensors.
> Errors-To: snort-users-admin () lists sourceforge net
> X-BeenThere: snort-users () lists sourceforge net
> X-Mailman-Version: 2.0.9-sf.net
> Precedence: bulk
> List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
> List-Post: <mailto:snort-users () lists sourceforge net>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
>       <mailto:snort-users-request () lists sourceforge net?subject=subscribe>
> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>,
>       <mailto:snort-users-request () lists sourceforge net?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchives/forum.php?forum=snort-users>
> X-Original-Date: Sun, 13 Oct 2002 23:05:15 -0400
> Date: Sun, 13 Oct 2002 23:05:15 -0400
> X-Spam-Status: No, hits=1.8 required=5.0
>       tests=KNOWN_MAILING_LIST,RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_01_02,
>             USER_AGENT_OUTLOOK,X_OSIRU_DUL,X_OSIRU_DUL_FH
>       version=2.42
> X-Spam-Level: *
>
> Hello!
>
> I had configured a Linux system to be used as the snort sensor. This was
> done as per the install recommendation shown in Snort Installation Manual by
> Steven J Scott.
>
> I ahve two NIC in this system. eth0 and eth1.
> I configuer eth0 with an IP address etc.
> eth1 was left alone as suggested.

Snort will bring the interface up in promisc mode. You can verify this
by issuing 'ifconfig eth1' after snort has been started.

> I understood that the eth1 was to be used as the probe NIC and it should be
> run on promiscous mode. However if I start snort with the eth1 nic card it
> starts snort but do not log any data into the database.
> The same works when used with the eth0 NIC.
>
> Is my assumption that the eth1 was to be used as probe wrong. Why was it
> suggested to have a second NIC if not used.
>
> How can I put a NIC in promiscous mode and how to check that it is
> promiscous mode.
>
> I tried using ifconfig eth1 -promisc up.
> I do not think that worked.
>
> Regards.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 

Chris Baker, GCIA

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O d-(+) s++:++ a-- C++++@ UBS++++> P+ !L(L+) E--- W+ N+ o+ K- w
O- M V- PS PE Y+ PGP++> t+ 5 X+ R tv b++ DI>
D++ G+ e+> h-- r+++ y+++
------END GEEK CODE BLOCK------

Fingerprint =  E9 95 6F 2E 44 E3 37 15  D5 1F 37 8B AB 89 02 AA  65 50 42 F8

Attachment: _bin
Description: