Snort mailing list archives

RE: Two Ethernet Interfaces?

From: "Scott, Joshua" <Joshua.Scott () Jacobs com>
Date: Mon, 4 Nov 2002 14:41:45 -0800

It is possible to have one interface both in promisc mode and participating
in the network.  

However it is generally a best practice to have a management interface and a
passive/stealth interface.  This way the management interface can be
connected into a secured network and the stealth interface could essentially
be connected anywhere.  

But, to answer your question...Yes you can get away with only one interface.


Joshua Scott
Security Systems Analyst, CISSP
626-568-7024


-----Original Message-----
From: Mike Koponick [mailto:mike () redhawk info] 
Sent: Monday, November 04, 2002 2:20 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Two Ethernet Interfaces?


I was wondering if it was absolutely necessary to have TWO ethernet
interfaces for the Snort sensor? Is this done for security or performance
issues? I would think that if you had one interface it would work fine if
there wasn't a lot of traffic. However, I would like to run in promisc mode,
as I could "catch" more traffic that way, so I would assume if you wanted to
run in promisc mode you would have to have two ethernet interfaces, true?

Thanks in advance for you help.

Mike



-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas
(supported by COMDEX), the only Apache event to be fully supported by the
ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


======================================================================================
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the 
intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is 
strictly prohibited. If you have received this message in error, please notify us immediately by replying to the 
message and deleting it from your computer.

==============================================================================



-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Two Ethernet Interfaces? Peter Param (Nov 04)
- <Possible follow-ups>
- RE: Two Ethernet Interfaces? Scott, Joshua (Nov 04)
- RE: Two Ethernet Interfaces? Mike Koponick (Nov 04)
- Re: Two Ethernet Interfaces? Justin Jessup (Nov 04)
- RE: Two Ethernet Interfaces? Security Admin (Nov 05)
- RE: Two Ethernet Interfaces? Security Admin (Nov 06)