Snort mailing list archives

RE: Using snort to listen on a nic without an IP

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 21 Jan 2004 17:51:12 -0600

-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Mark Reis
Sent: Wednesday, January 21, 2004 3:51 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Using snort to listen on a nic without an IP

I have snort running on a FreeBSD 5.1 box and was using it to 
monitor the uplink for ~1500 machines. Unfortunately, I found 
out that all of this traffic would flood the network 
connection and I could hardly even ssh into the machine. So 
I've placed a second nic into the machine and I would like to 
configure it for snort to listen without giving it an IP. 

I'd appreciate help on what conf changes I'd need to do with 
both freebsd and snort.

In /etc/rc.conf:
ifconfig_nic1="promisc up"
ifconfig_nic2="inet IP_address netmask mask"

Start snort with:
/usr/local/bin/snort -c /usr/local/etc/snort.conf -i nic1 {whatever else
you want}

(Obviously, nic1 and nic2 need to be the actual interfaces, e.g. xl0,
xl1, etc.)

The promiscuous NIC needs to *not* be inline with the uplink, but
"tapped" into it either by using a spanning port or an actual tap.  The
"live" NIC should not be Internet addressable, if possible.  (Private IP
or management network, etc.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Using snort to listen on a nic without an IP Mark Reis (Jan 21)
- Re: Using snort to listen on a nic without an IP james (Jan 21)
  - Re: Using snort to listen on a nic without an IP Frank Knobbe (Jan 21)
- <Possible follow-ups>
- Re: Using snort to listen on a nic without an IP M. Morgan (Jan 21)
- RE: Using snort to listen on a nic without an IP Schmehl, Paul L (Jan 21)
- RE: Using snort to listen on a nic without an IP List Mail (Jan 21)
- Using snort to listen on a nic without an IP Mark Reis (Jan 22)
- RE: Using snort to listen on a nic without an IP Vigilant Labs (Jan 22)