Snort mailing list archives
Re: Cannot get Snort listen on a second network interface (creating a gateway)
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 23 Feb 2015 12:05:01 +0000
Hello Henry, Use “-i ” to set the monitoring interface. Some other uses with the daq are listed here: http://manual.snort.org/node7.html If you set an IP on that interface snort will only see the packets destined for that host. You may want to span traffic to the monitoring interface and put it into promiscuous mode so you can see all traffic on that subnet. Also… Hosts on your network wont use your gateway to access each other because based on your subnet mask/network number they are all in the same subnet. Once they ARP for the destination they will send the packets directly to the end point and not your machine. Hosts will only use a default gateway to get to networks they don’t know about (not within their current subnet). Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Henry Collins [mailto:hcol1987 () gmail com] Sent: Monday, February 23, 2015 5:41 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Cannot get Snort listen on a second network interface (creating a gateway) I have a small subnet that consists of several computers. I want these computers to configure in such a way that they would use my gateway to access each other and the external internet. There is already a gateway working in the subnet, but it doesn't have Snort installed. It's ip is 10.165.17.1 I am working on creating another gateway that would use the upper gateway to serve computers in the subnet, but this gateway would receive packets from computers in the subnet. In this way, I want to instruct Snort to listen on for example eth1, which would be used for computers in the subnet and eth0 for communication with the subnet's gateway (10.165.17.1). How is it done? Here is a short overview of my network: Gateways: 10.165.17.1 (has access to external internet and computers in the subnet) 10.165.17.70 (is used by computers in the subnet as gateway and uses 10.165.17.1 as its gateway) Computers: 10.165.17.60 (gateway: 10.165.17.70) 10.165.17.61 (gateway: 10.165.17.70) and so on... This is my /etc/network/interfaces so far. However, eth1 doesn't get an IP. How do I fix this? I want to make Snort listen on eth1: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 10.165.17.66 gateway 10.165.17.1 dns-nameservers 10.165.0.10 10.165.0.11 netmask 255.255.255.0 broadcast 10.165.17.255 # The secondary network interface auto eth1 iface eth1 inet static address 10.165.17.70 gateway 10.165.17.1 dns-nameservers 10.165.0.10 10.165.0.11 netmask 255.255.255.0 broadcast 10.165.17.255 This is output from ifconfig: eth0 Link encap:Ethernet HWaddr 00:0c:29:83:e8:ff inet addr:10.165.17.66 Bcast:10.165.17.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:137 errors:0 dropped:21 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16987 (16.9 KB) TX bytes:928 (928.0 B) eth1 Link encap:Ethernet HWaddr 00:0c:29:83:e8:09 inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:92 errors:0 dropped:11 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9675 (9.6 KB) TX bytes:648 (648.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Cannot get Snort listen on a second network interface (creating a gateway) Henry Collins (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Al Lewis (allewi) (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Henry Collins (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Al Lewis (allewi) (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Henry Collins (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Henry Collins (Feb 23)
- Re: Cannot get Snort listen on a second network interface (creating a gateway) Al Lewis (allewi) (Feb 23)