Snort mailing list archives
Re: Running snort in daemon mode disables network connection
From: Erek Adams <erek () snort org>
Date: Fri, 28 Feb 2003 18:22:56 -0500 (EST)
On Fri, 28 Feb 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
I am running snort-1.9.0 on my redhat linux 8.0 laptop. I am using my wireless network card interface to connect to the network. My linux box is connected in the LAN. I would like to run an Intrusion Detection System and Personal Wirewall on the Linux box, which is just a workstation, not a server. I want to detect whatever port scans take place on my network interface( whether they are internal to the LAN or external to the LAN) and report it to a central server.
Easy enough.
I am not using other network interface,eth0. It is just left unconnected to any cable.
No problem. Forget about it.
When I am running snort in daemon mode, I am losing my network connection. I am not able to connect to any box in the LAN. Please help me if I am doing something wrong.
It's not Daemon mode that is giving you grief--It's promiscuous mode that is.
What is this promiscuous mode?
To sort of quote "The Red Book" [0].... 'Ethernet is sort of like a "polite" dinner party. If you want to talk to someone, you write the message on a bit of paper, fold it, and on the outside you write the name of the recipient. Everyone looks at the address, but not at what's inside.' Promiscuous mode is different. You _read_ all the bits of paper no matter who it is for. Since you just want to look for scans and attacks that are headed to you, you don't need promisc mode. You just want what's destined for your interface.... Hence, no need of promiscuous mode. Simply start Snort with the "-p" flag and it should work fine. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.amazon.com/exec/obidos/tg/detail/-/0131510517/qid=1046473814/sr=1-2/ref=sr_1_2/104-8282033-5068702?v=glance&s=books (URL may wrap) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Running snort in daemon mode disables network connection Sadanapalli, Pradeep Kumar (MED, TCS) (Feb 28)
- Re: Running snort in daemon mode disables network connection Erek Adams (Feb 28)