Snort mailing list archives
how to use expressions on a stealth interface
From: Thomas Uczekaj <tuczek01 () freight fedex com>
Date: Wed, 26 Mar 2003 14:28:46 -0700
Hi - I have setup an interface in stealth mode (no IP assigned to the interface, the switch port has been setup to do spanning so I can see all traffic on the subnet). When I run snort in sniffer mode (snort -i intf1 -ve net 10.67.2.0/24), the expression syntax to filter the data does not work. It doesn't seem to recognize any of the data as normal IP. However, when I run it without any expressions (snort -i intf1 -ve), statistics report back about pct's for TCP/UDP/.....etc). Similarly, tcpdump cannot use expressions to filter the data. Does anyone have an idea of using either of these tools to make this happen? -- Thomas Uczekaj - (602) 685-3532 FedEx Freight System - Information Security Email - tom.uczekaj () freight fedex com ======================================================= ********************************************************** This message contains information that is confidential and proprietary to FedEx Freight or its affiliates. It is intended only for the recipient named and for the express purpose(s) described therein. Any other use is prohibited. **************************************************************** ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to use expressions on a stealth interface Thomas Uczekaj (Mar 26)
- Re: how to use expressions on a stealth interface Erek Adams (Mar 26)