Snort mailing list archives
RE: Using snort to listen on a nic without an IP
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 21 Jan 2004 17:51:12 -0600
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark Reis Sent: Wednesday, January 21, 2004 3:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Using snort to listen on a nic without an IP I have snort running on a FreeBSD 5.1 box and was using it to monitor the uplink for ~1500 machines. Unfortunately, I found out that all of this traffic would flood the network connection and I could hardly even ssh into the machine. So I've placed a second nic into the machine and I would like to configure it for snort to listen without giving it an IP. I'd appreciate help on what conf changes I'd need to do with both freebsd and snort.
In /etc/rc.conf: ifconfig_nic1="promisc up" ifconfig_nic2="inet IP_address netmask mask" Start snort with: /usr/local/bin/snort -c /usr/local/etc/snort.conf -i nic1 {whatever else you want} (Obviously, nic1 and nic2 need to be the actual interfaces, e.g. xl0, xl1, etc.) The promiscuous NIC needs to *not* be inline with the uplink, but "tapped" into it either by using a spanning port or an actual tap. The "live" NIC should not be Internet addressable, if possible. (Private IP or management network, etc.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort to listen on a nic without an IP Mark Reis (Jan 21)
- Re: Using snort to listen on a nic without an IP james (Jan 21)
- Re: Using snort to listen on a nic without an IP Frank Knobbe (Jan 21)
- <Possible follow-ups>
- Re: Using snort to listen on a nic without an IP M. Morgan (Jan 21)
- RE: Using snort to listen on a nic without an IP Schmehl, Paul L (Jan 21)
- RE: Using snort to listen on a nic without an IP List Mail (Jan 21)
- Using snort to listen on a nic without an IP Mark Reis (Jan 22)
- RE: Using snort to listen on a nic without an IP Vigilant Labs (Jan 22)
- Re: Using snort to listen on a nic without an IP james (Jan 21)