Snort mailing list archives

Re: Re: Snort & Acid

From: Erek Adams <erek () snort org>
Date: Wed, 21 May 2003 10:02:36 -0400 (EDT)

On Tue, 20 May 2003 Colin.Slevin () transwareplc com wrote:

I am having another problem , I have two network cards on my machine one
for sniffing and on for normal network activity . When I type snort -W I
get these two NIC cards which are correct . But the card I want to sniff is
the second but snort is using the first even when I specify the second in
the snort .conf .


Well...  With out knowing how you're starting Snort or what you have in
your snort.conf file, I'm guessing...  Snort can only sniff on one
interface at a time.  You'll have to run two instances if you want to
sniff on two different cards.  If you have the -i <interface> parameter
usee on the command line it will override anything set in the snort.conf.
So try starting with -i 2 instead of -i 1 and having the second interface
in the snort.conf file.  Is the second interface connected to a DSL or
Cable modem?  If it's any type of NDIS link then you're out of luck as the
current versions of Winpcap no longer support dialup adapters.

What do I do to change the situation . I know that one
should be in promiscious mode but all traffic seems to be directed through
this card .


I'm sorry, but that doesn't make much sense.  'This card?'  _Which_ card
are you talking about?  What do you mean by 'all traffic?'

I using snort on Win2k with mysql and acid and obviously php.
\Device\NPF_{37B8DFB9-9F3C-4585-BF8C-F65A3422564B} (Intel 8255x-based
Integrated Fast Ethernet) normal traffic  (IP 10.0.0.46)
\Device\NPF_{185E1F8A-0E33-4774-9193-076063E4A164} (Compac
Ethernet/FastEthernet or Gigabit NIC) promiscious mode (IP 10.0.0.47) I
don't think that this should have an IP address so if you can also tell me
how to get this to sniff without an IP address that would great too ...


Check the 2.0 FAQ, #3.1

The 2.0 FAQ is located in the /doc directory of the tarball.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort & Acid Colin . Slevin (May 21)
- Re: Re: Snort & Acid Erek Adams (May 21)
- <Possible follow-ups>
- Snort & Acid Colin . Slevin (May 21)
- Snort & Acid Colin . Slevin (May 21)
  - Re: Snort & Acid Erek Adams (May 21)
- Re: Snort & Acid Colin . Slevin (May 22)
  - Re: Snort & Acid Erek Adams (May 21)
- Re: Snort & Acid Colin . Slevin (May 22)