[Snort-users] Dual ethernet cards under Linux - could be of use to others

Guy Bruneau bruneau at ...126...
Thu Nov 2 20:37:05 EST 2000


Jason,

The way I have done it is by turning the second card into promicous mode in the
following way  at startup. In rc.local add:

/sbin/ifconfig eth0 0.0.0.0 promisc

The result of ifconfig shows the following

eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:26731 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:10 Base address:0xd000

Keeping the card invisible to the network. Check out the statistics. 26731
packets received and nothing else. The other card (management) has IPChains
blocking everything.

Cheers,

Guy


Jason Haar wrote:

> [Bit OT but I don't care ;-)]
>
> More of a comment than anything, but I decided to put a second Ethernet card
> (eth1) in my RedHat 6.2 workstation so I could monitor two segments of our
> network with snort. One of the new things I wanted to try was to use
> ipchains to stop anyone else being able to even see eth1. So I set ipchains
> to disabled all SENT packets, but to allow incoming so snort would still see
> them.
>
> First surprise. Hosts sending out ARPs for my eth0 IP address were seeing
> ARP replies from eth1 (looks like it was round-robining - some saw eth0 and
> some saw eth1 MAC address)! I have IP forwarding disabled of course, but it
> appears to make no difference. Looks to me that under Linux "ip forwarding"
> means routing - interfaces on the same host don't count as routing...
>
> Secondly, as these packets are ARPs, they're not IP - so ipchains didn't
> stop them. Should have thought of that... (is there a way of stopping non-IP
> packets?)
>
> Thirdly, machines pinging the IP address of eth1 still worked! They'd see
> eth1 as the MAC address, send the packets to that, and it would forward them
> through eth0 as that was the default route for the local network! Again,
> unexpected result.
>
> So I decided to use ipchains to stop incoming packets on eth1 too. Next
> strange result, snort could still see all packets on eth1! Looks like
> promiscuous mode beats ipchains! This did stop anyone being able to send IP
> packets to the IP address of eth1 thankfully.
>
> All in all a pretty weird event - learnt some things I didn't expect.
>
> So, I'll ask again. Does anyone know of a non-IP packet filter for Linux so
> I can stop those ARP packets? How about a fix for eth1 merrily talking to
> eth0? Is that a bug or a feature?
>
> [I was surprised how "resilient" those packets were. They always found a way
> through ;-)]
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list