Snort mailing list archives

RE: Using snort to listen on a nic without an IP

From: List Mail <LMail () ccsenergyservices com>
Date: Wed, 21 Jan 2004 16:51:51 -0700

In rc.conf remove the ip address/snm and dfgw for the second nic. If it
isn't there add it in with no info.

ifconfig_eth0="inet 10.0.0.150  netmask 255.255.254.0"
ifconfig_eth1=""

Run #ifconfig eth1 up 

then run snort and use the -i eth1 in your snort command line.

Then run ifconfig -a and you should see both interfaces, one with an IP
connected to your network and the second one in promiscuous mode with no ip
(you'll also see your loopback etc here)


 flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.150 netmask 0xfffffe00 broadcast 10.0.0.255
        inet6 fe80::2b0:d0ff:fed0:45a8%fxp0 prefixlen 64 scopeid 0x1
        ether 00:b0:d0:d0:45:a8
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

 flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,promiscuous> mtu 1500
        ether 00:02:b3:30:c9:46
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

Wayne

-----Original Message-----
From: Mark Reis [mailto:mcr2z () cs virginia edu] 
Sent: Wednesday, January 21, 2004 2:51 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Using snort to listen on a nic without an IP


Hello,

I have snort running on a FreeBSD 5.1 box and was using it to monitor the
uplink for ~1500 machines. Unfortunately, I found out that all of this
traffic would flood the network connection and I could hardly even ssh into
the machine. So I've placed a second nic into the machine and I would like
to configure it for snort to listen without giving it an IP. 

I'd appreciate help on what conf changes I'd need to do with both freebsd
and snort.

Thanks,
Mark



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration See the
breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Using snort to listen on a nic without an IP Mark Reis (Jan 21)
- Re: Using snort to listen on a nic without an IP james (Jan 21)
  - Re: Using snort to listen on a nic without an IP Frank Knobbe (Jan 21)
- <Possible follow-ups>
- Re: Using snort to listen on a nic without an IP M. Morgan (Jan 21)
- RE: Using snort to listen on a nic without an IP Schmehl, Paul L (Jan 21)
- RE: Using snort to listen on a nic without an IP List Mail (Jan 21)
- Using snort to listen on a nic without an IP Mark Reis (Jan 22)
- RE: Using snort to listen on a nic without an IP Vigilant Labs (Jan 22)