Snort mailing list archives
Re: Using snort to listen on a nic without an IP
From: "M. Morgan" <mikemorgan () mindspring com>
Date: Wed, 21 Jan 2004 17:31:51 -0500 (GMT-05:00)
Mark, I use dual NIC machines in the following configuration on linux, you'll have to change it a bit for BSD but you'll get the idea: IP# 0.0.0.0 / eth0, netmask 255.255.255.0 / on a sniffed network IP# 192.168.1.x / eth1, netmask 255.255.255.0 / on a local LAN for admin purposes You'll need to use the "route" command to view the routing table: (man route) There should be a default gateway entry for eth0, remove it. eth1 wont have a defualt gateway set, add one now. this is how it should look when youve changed it: ~~~~~~~~~~~~~~~~~~~~~ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.2 0.0.0.0 UG 1 0 0 eth1 ~~~~~~~~~~~~~~~~~~~~~ after a reboot the ifconfig should read like this: notice no packets are transmitted from eth0 and there is no inet addr. ~~~~~~~~~~~~~~~~~~~~~~~~~~ eth0 Link encap:Ethernet HWaddr 00:05:5D:50:15:12 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:508099 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:67143966 (64.0 Mb) TX bytes:0 (0.0 b) Interrupt:10 Base address:0xec00 eth1 Link encap:Ethernet HWaddr 00:0A:E6:8F:8E:BD inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:68839 errors:0 dropped:0 overruns:0 frame:0 TX packets:14828 errors:0 dropped:0 overruns:0 carrier:0 collisions:302 txqueuelen:100 RX bytes:8762243 (8.3 Mb) TX bytes:1038227 (1013.8 Kb) Interrupt:11 Base address:0xd800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4701 errors:0 dropped:0 overruns:0 frame:0 TX packets:4701 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:488904 (477.4 Kb) TX bytes:488904 (477.4 Kb) ~~~~~~~~~~~~~~~~~~~~~ use "tcpdump -i eth0 -a" to verify that eth0 is sniffing traffic on your hostile network. thats about it. Michael -----Original Message----- From: Mark Reis <mcr2z () cs virginia edu> Sent: Jan 21, 2004 4:50 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Using snort to listen on a nic without an IP Hello, I have snort running on a FreeBSD 5.1 box and was using it to monitor the uplink for ~1500 machines. Unfortunately, I found out that all of this traffic would flood the network connection and I could hardly even ssh into the machine. So I've placed a second nic into the machine and I would like to configure it for snort to listen without giving it an IP. I'd appreciate help on what conf changes I'd need to do with both freebsd and snort. Thanks, Mark ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort to listen on a nic without an IP Mark Reis (Jan 21)
- Re: Using snort to listen on a nic without an IP james (Jan 21)
- Re: Using snort to listen on a nic without an IP Frank Knobbe (Jan 21)
- <Possible follow-ups>
- Re: Using snort to listen on a nic without an IP M. Morgan (Jan 21)
- RE: Using snort to listen on a nic without an IP Schmehl, Paul L (Jan 21)
- RE: Using snort to listen on a nic without an IP List Mail (Jan 21)
- Using snort to listen on a nic without an IP Mark Reis (Jan 22)
- RE: Using snort to listen on a nic without an IP Vigilant Labs (Jan 22)
- Re: Using snort to listen on a nic without an IP james (Jan 21)