Snort mailing list archives

Re: Stealth Interface on Redhat 8.0, 7.2, or 6.0???

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Sun, 23 Feb 2003 03:35:35 +0100


Hi Mike,

I can only tell you how it is working for me.

It was right to remove the ifcfg-eth0-script. After reboot the following
command is starting up your interface, telling it not to send any ARP-packets
and go to the promiscous mode in order to "see" the packets which are not
directed to that system:

ifconfig eth0 -arp promisc up

After that you can simply start snort (or tcpdump) with the -i switch. It
is perfectly working for me, it should for you too.

Try simply running "service network stop" and then the command above.

Greetings,

Edin

PS: Use a newer libpcap, for example the Phil Wood ringbuffer-
enhanced version: http://public.lanl.gov/cpw/

Mike Chandler wrote:

I'm running Redhat 8.0 and libpcap-0.6.2-16 and I installed
snort-mysql+flexresp-1.9.0-1 successfully.  Everything seemed to work fine
until I tried to configure the interface as a stealth port.  I followed the
directions in the faq and rechecked everything several time but I must be
missing.

I removed ifcfg-eth0 from /etc/sysconfig/network-scripts and rebooted.
After a reboot I typed "ifconfig eth0 up" and confirmed the interface was up
without an IP address.  Then I typed "snort-mysql+flexresp -v -c
/etc/snort/snort.conf" and got a message "Failed to lookup for interface: no
suitable device found."  I tried specifying an interface an and got the same
mesage.  I even tried "ifconfig eth0 promisc" and got the same results.  I
suspect the problem is with libpcap since I get the "no suitable device
found" with tcpdump also.  I'm hoping this is something simple that I'm
missing because I've tried the same thing on computers running Redhat 7.2
and 6.0 (different nic's) with tcpdump with the same results.

Does anyone have a clue?  I've read manuals and faq's and searched Google
till I'm blue in the face.

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stealth Interface on Redhat 8.0, 7.2, or 6.0??? Mike Chandler (Feb 22)
- Re: Stealth Interface on Redhat 8.0, 7.2, or 6.0??? Edin Dizdarevic (Feb 22)
- Re: Stealth Interface on Redhat 8.0, 7.2, or 6.0??? Demetri Mouratis (Feb 23)