Snort mailing list archives
Re: Couple of quick questions
From: Bennett Todd <bet () rahul net>
Date: Tue, 23 Mar 2004 21:40:07 +0000
I can't help with snorting non-ethernet interfaces (cipe or pptp vpn, ppp) but: 2004-03-23T20:44:18 Charles Lacroix:
While we are at it, can it listen to bonded interfaces like bond0 which joins a couple of interfaces together.
that I can answer, at least in part. I've deployed snort listening on bonded eth interfaces successully. The one quirk, which may have been fixed since, was that promisc wasn't being passed down from bond0 to the bonded ethN interfaces when snort tried to set promisc; the simple fix was to explicitly ifconfig bond0 promisc before ifenslaving the ethN interfaces; promisc _is_ propogated down to the ethN interfaces at ifenslave time. There's been talk since on the bonding-devel list about propogating such attribute changes from bond0 down to the bonded ethN whenever they're set on bond0; I've not paid close enough attention to know whether they've made it into the stock kernel versions, or if so when. bonding.txt has a note in it describing the issue, and also noting that if you're doing an unnumbered interface (common for snort applications) ifenslave will spew a bunch of errors about lack of addresses, which can all be ignored. -Bennett
Attachment:
_bin
Description:
Current thread:
- Couple of quick questions Charles Lacroix (Mar 23)
- Re: Couple of quick questions Bennett Todd (Mar 23)
- Re: Couple of quick questions Jason Haar (Mar 23)
- Re: Couple of quick questions Charles Lacroix (Mar 24)
- Re: Couple of quick questions Jason Haar (Mar 23)
- Re: Couple of quick questions Bennett Todd (Mar 23)