Snort mailing list archives
Re: Snort.conf & stealth mode
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Fri, 23 May 2003 13:43:22 -0500 (CDT)
See comments inline: On Fri, 23 May 2003, francesco wrote:
Recently (April 03) someone asked how to start the OS and Snort in stealth mode. My question is slightly different: - Is it required any special setting of the VAR interface address (for a stealth mode card) or just run it the way it is?
No special setting is required. Bring the interface up, then point your snort instance at that interface with the -i option. # ifconfig eth1 up # snort -dev -i eth1
-BTW is it necessary to specify the promisc option for the ifconfig activation command?
No, snort will put the interface into promiscuous mode by default. One caveat I've noticed with Linux (2.4.x kernels) is that you cannot have two snort instances on the same interface in promiscuous mode automatically. In this case, use the -p option to snort at run time and manually put the interface into promiscuous mode with: # ifconfig eth1 promisc
I am confused, as there is very little about that (also the FAQ 3.1 & 3.29 goes straight through this but the snort.conf file is not mentioned at all). Thanks to anyone is going to answer. Francesco ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort.conf & stealth mode francesco (May 19)
- <Possible follow-ups>
- Snort.conf & stealth mode francesco (May 23)
- Re: Snort.conf & stealth mode Demetri Mouratis (May 23)
- Re: Snort.conf & stealth mode Erek Adams (May 23)