Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using snort sensors.

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 14 Oct 2002 10:20:39 -0700 (PDT)
On Sun, 13 Oct 2002, Sujit Pal wrote:


I had configured a Linux system to be used as the snort sensor. This was
done as per the install recommendation shown in Snort Installation Manual by
Steven J Scott.

I ahve two NIC in this system. eth0 and eth1.
I configuer eth0 with an IP address etc.
eth1 was left alone as suggested.

I understood that the eth1 was to be used as the probe NIC and it should be
run on promiscous mode. However if I start snort with the eth1 nic card it
starts snort but do not log any data into the database.
The same works when used with the eth0 NIC.


Then there's nothing wrong with snort.  If you can start snort and get data
from one card and then when trying to use the other one with the same config
and it works, then it points to something else.

Does the output of 'ifconfig -a' show both cards?  If not, you may need to
"tell" your OS that you have a second card.  On Solaris it's as simple as
"ifconfig hme1 plumb" and then "ifconfig hme1 up".


Is my assumption that the eth1 was to be used as probe wrong. Why was it
suggested to have a second NIC if not used.


One NIC would be for sniffing, and the other would be for "management"--remote
login of box, configuration, etc....


How can I put a NIC in promiscous mode and how to check that it is
promiscous mode.

I tried using ifconfig eth1 -promisc up.
I do not think that worked.


Check the output of 'ifconfig -a'.  It should show you if you have the card in
promisc mode.  If not, check your man page on ifconfig to see how to set it.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: