Snort mailing list archives

Re: Snort.conf & stealth mode

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Fri, 23 May 2003 13:43:22 -0500 (CDT)

See comments inline:
On Fri, 23 May 2003, francesco wrote:

Recently (April 03) someone asked how to start the OS and Snort in stealth
mode.

My question is slightly different:
- Is it required any special setting of the VAR interface address (for a
stealth mode card) or just run it the way it is?


No special setting is required.  Bring the interface up, then point your
snort instance at that interface with the -i option.

# ifconfig eth1 up
# snort -dev -i eth1

-BTW is it necessary to specify the promisc option for the ifconfig
activation command?


No, snort will put the interface into promiscuous mode by default.  One
caveat I've noticed with Linux (2.4.x kernels) is that you cannot have two
snort instances on the same interface in promiscuous mode automatically.
In this case, use the -p option to snort at run time and manually put the
interface into promiscuous mode with:

# ifconfig eth1 promisc


I am confused, as there is very little about that (also the FAQ 3.1 & 3.29
goes straight through this but the snort.conf file is not mentioned at all).

Thanks to anyone is going to answer.
Francesco



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort.conf & stealth mode francesco (May 19)
- <Possible follow-ups>
- Snort.conf & stealth mode francesco (May 23)
  - Re: Snort.conf & stealth mode Demetri Mouratis (May 23)
  - Re: Snort.conf & stealth mode Erek Adams (May 23)