Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should I setup NIC sensor with IP address or without IP address ?

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 8 Jun 2015 17:18:41 +0000
The traffic has to be spanned to snort or snort has to be inline to get packets. Otherwise your interface will only see 
broadcast traffic more than likely.

Once you remove the IP address those packets will not be sent to your sensing interface.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Marcio Guerreiro [mailto:marcio.guerreiro () hotmail co uk]
Sent: Monday, June 08, 2015 11:40 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Should I setup NIC sensor with IP address or without IP address ?


Hello all



I am having problems to generate alerts and I think it might be related to my network card configuration:



I read that the network card in promiscuous mode should not have IP address. However when I follow the instructions to 
setup the interface as 0.0.0.0,  I cannot generate any type of alerts.

On the other hand when I add an IP address I manage to generate TWO types of alerts using the following rules:



[cid:image003.png@01D0A1ED.A01D72F0]



The alerts are show here... it captures the ping ICMP and the TCP packets from my SSH session



[cid:image004.png@01D0A1ED.A01D72F0]





But if I try to generate alerts using the following rule it does not work.



[cid:image005.png@01D0A1ED.A01D72F0]



Or this other rule does not work either...



[cid:image006.png@01D0A1ED.A01D72F0]





I was wondering if the problem is related to my network configuration.

My network setup is...

The Generic Receive Offload is off, but LRO (Cannot change large-receive-offload) I assume that my network card does 
not support this feature.

[cid:image007.png@01D0A1ED.A01D72F0][cid:image008.png@01D0A1ED.A01D72F0]


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: