Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Stealth sensor on SPAN port w/o tap

From: Robert MacKinnon <robert.mackinnon () broadpark no>
Date: Wed, 06 Nov 2002 16:29:59 +0100
I've been experimenting with getting my first snort sensor online but have not had success yet with configuring SPAN on the port to which the sensor is installed in a stealth mode.
The environ is PC with dual 100Mb NICs, snort v1.9.0 on RH v7.3. One NIC (eth1) is connected into a managment net and configured with an IP address. The other interface (eth0) is connected to a SPAN port (monitoring three other ports on the same Catalyst 2900XL, same VLAN) and has no IP address assigned.
Running "snort -dev -i eth0" produces no output. OpenPCap() warns about the missing IPv4 address but absolutely no packets are captured. If I assign an IP address to the port, capturing functions as expected.
I've read all I can find on the Internet about taps, SPAN ports and snort but nothing addresses this problem. Will I have to invest in a tap to get this to work? TIA. 

        - Rob.




-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: