[Snort-users] Dual ethernet cards under Linux - could be of use to others

Guy Bruneau bruneau at ...126...
Fri Nov 3 05:42:04 EST 2000


Jason,

Do you still have a valid IP address assigned to the monitoring card? The only IP
assigned to the card must be 0.0.0.0 and the ifconfig command "promisc" in order for
Linux to keep the card from doing anything except receive packet for whichever IDS
you would like to use (Snort, Shadow, etc)

Cheers,

Guy

--
Guy Bruneau
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau

Jason Haar wrote:

> On Thu, Nov 02, 2000 at 08:37:05PM -0500, Guy Bruneau wrote:
> > Jason,
> >
> > The way I have done it is by turning the second card into promicous mode in the
> > following way  at startup. In rc.local add:
> >
> > /sbin/ifconfig eth0 0.0.0.0 promisc
> >
> > The result of ifconfig shows the following
> >
> > eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
> >           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
> >           RX packets:26731 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:100
> >           Interrupt:10 Base address:0xd000
> >
> > Keeping the card invisible to the network. Check out the statistics. 26731
> > packets received and nothing else. The other card (management) has IPChains
> > blocking everything.
>
> Interesting  - that doesn't work here...
>
> My eth1 is reporting:
>
> RX packets:113043
> TX packets: 46
>
> I'm running arpwatch as well as it's show my MAC address "flip-flopping" -
> one moment it's the MAC address of eth0, the next it's eth1...
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001103/f07ab93e/attachment.html>


More information about the Snort-users mailing list