Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort configuration in layer 2

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Feb 2005 12:19:13 -0500
At 09:28 AM 2/1/2005, Peggy Kam wrote:

Other than running snort in promiscous mode, what else needs be
configured to run snort in passive mode on layer 2?  I did not seem to
find any information anywhere for the configuration on this matter.
Define what you mean by "passive mode on layer 2".. Heck.. define what you mean by "passive mode". If by passive you mean not sending packets, well, that's the default. It only becomes active in this sense if you use flexresp.
Snort in general picks all ethernet frames at a layer 2 level from libpcap, parses past the layer 2 ethernet headers (including VLAN trunk headers) and analyzes them at layer 3 and up.
Once you've got the interface in promisc mode, snort should analyze everything that appears on the interfaces ethernet wire, and generate logged messages, nothing more. 


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: