[Snort-users] Dual ethernet cards under Linux - could be of use to others

Guy Bruneau bruneau at ...126...
Thu Nov 2 20:37:05 EST 2000


The way I have done it is by turning the second card into promicous mode in the
following way  at startup. In rc.local add:

/sbin/ifconfig eth0 promisc

The result of ifconfig shows the following

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          RX packets:26731 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:10 Base address:0xd000

Keeping the card invisible to the network. Check out the statistics. 26731
packets received and nothing else. The other card (management) has IPChains
blocking everything.



Jason Haar wrote:

> [Bit OT but I don't care ;-)]
> More of a comment than anything, but I decided to put a second Ethernet card
> (eth1) in my RedHat 6.2 workstation so I could monitor two segments of our
> network with snort. One of the new things I wanted to try was to use
> ipchains to stop anyone else being able to even see eth1. So I set ipchains
> to disabled all SENT packets, but to allow incoming so snort would still see
> them.
> First surprise. Hosts sending out ARPs for my eth0 IP address were seeing
> ARP replies from eth1 (looks like it was round-robining - some saw eth0 and
> some saw eth1 MAC address)! I have IP forwarding disabled of course, but it
> appears to make no difference. Looks to me that under Linux "ip forwarding"
> means routing - interfaces on the same host don't count as routing...
> Secondly, as these packets are ARPs, they're not IP - so ipchains didn't
> stop them. Should have thought of that... (is there a way of stopping non-IP
> packets?)
> Thirdly, machines pinging the IP address of eth1 still worked! They'd see
> eth1 as the MAC address, send the packets to that, and it would forward them
> through eth0 as that was the default route for the local network! Again,
> unexpected result.
> So I decided to use ipchains to stop incoming packets on eth1 too. Next
> strange result, snort could still see all packets on eth1! Looks like
> promiscuous mode beats ipchains! This did stop anyone being able to send IP
> packets to the IP address of eth1 thankfully.
> All in all a pretty weird event - learnt some things I didn't expect.
> So, I'll ask again. Does anyone know of a non-IP packet filter for Linux so
> I can stop those ARP packets? How about a fix for eth1 merrily talking to
> eth0? Is that a bug or a feature?
> [I was surprised how "resilient" those packets were. They always found a way
> through ;-)]
> --
> Cheers
> Jason Haar
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list