Snort mailing list archives

Re: Using snort to listen on a nic without an IP

From: "M. Morgan" <mikemorgan () mindspring com>
Date: Wed, 21 Jan 2004 17:31:51 -0500 (GMT-05:00)

Mark,
 I use dual NIC machines in the following configuration on linux, you'll have to change it a bit for BSD but you'll get 
the idea:

IP# 0.0.0.0 / eth0, netmask 255.255.255.0 / on a sniffed network
IP# 192.168.1.x / eth1, netmask 255.255.255.0 / on a local LAN for admin purposes

You'll need to use the "route" command to view the routing table:
(man route)

There should be a default gateway entry for eth0, remove it.

eth1 wont have a defualt gateway set, add one now.
this is how it should look when youve changed it:
~~~~~~~~~~~~~~~~~~~~~
 Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.1.2     0.0.0.0         UG    1      0        0 eth1
~~~~~~~~~~~~~~~~~~~~~

after a reboot the ifconfig should read like this:
notice no packets are transmitted from eth0 and there is no inet addr.
~~~~~~~~~~~~~~~~~~~~~~~~~~
eth0      Link encap:Ethernet  HWaddr 00:05:5D:50:15:12
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:508099 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:100
          RX bytes:67143966 (64.0 Mb)  TX bytes:0 (0.0 b)
          Interrupt:10 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:0A:E6:8F:8E:BD
          inet addr:192.168.1.31  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:68839 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14828 errors:0 dropped:0 overruns:0 carrier:0
          collisions:302 txqueuelen:100
          RX bytes:8762243 (8.3 Mb)  TX bytes:1038227 (1013.8 Kb)
          Interrupt:11 Base address:0xd800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4701 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4701 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:488904 (477.4 Kb)  TX bytes:488904 (477.4 Kb)
~~~~~~~~~~~~~~~~~~~~~

use "tcpdump -i eth0 -a" to verify that eth0 is sniffing traffic on your hostile network.

thats about it.

Michael


-----Original Message-----
From: Mark Reis <mcr2z () cs virginia edu>
Sent: Jan 21, 2004 4:50 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Using snort to listen on a nic without an IP

Hello,

I have snort running on a FreeBSD 5.1 box and was using it to monitor the
uplink for ~1500 machines. Unfortunately, I found out that all of this
traffic would flood the network connection and I could hardly even ssh into
the machine. So I've placed a second nic into the machine and I would like
to configure it for snort to listen without giving it an IP. 

I'd appreciate help on what conf changes I'd need to do with both freebsd
and snort.

Thanks,
Mark



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Using snort to listen on a nic without an IP Mark Reis (Jan 21)
- Re: Using snort to listen on a nic without an IP james (Jan 21)
  - Re: Using snort to listen on a nic without an IP Frank Knobbe (Jan 21)
- <Possible follow-ups>
- Re: Using snort to listen on a nic without an IP M. Morgan (Jan 21)
- RE: Using snort to listen on a nic without an IP Schmehl, Paul L (Jan 21)
- RE: Using snort to listen on a nic without an IP List Mail (Jan 21)
- Using snort to listen on a nic without an IP Mark Reis (Jan 22)
- RE: Using snort to listen on a nic without an IP Vigilant Labs (Jan 22)