[Snort-users] Dual ethernet cards under Linux - could be of use to others
bruneau at ...126...
Fri Nov 3 05:42:04 EST 2000
Do you still have a valid IP address assigned to the monitoring card? The only IP
assigned to the card must be 0.0.0.0 and the ifconfig command "promisc" in order for
Linux to keep the card from doing anything except receive packet for whichever IDS
you would like to use (Snort, Shadow, etc)
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau
Jason Haar wrote:
> On Thu, Nov 02, 2000 at 08:37:05PM -0500, Guy Bruneau wrote:
> > Jason,
> > The way I have done it is by turning the second card into promicous mode in the
> > following way at startup. In rc.local add:
> > /sbin/ifconfig eth0 0.0.0.0 promisc
> > The result of ifconfig shows the following
> > eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
> > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> > RX packets:26731 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:10 Base address:0xd000
> > Keeping the card invisible to the network. Check out the statistics. 26731
> > packets received and nothing else. The other card (management) has IPChains
> > blocking everything.
> Interesting - that doesn't work here...
> My eth1 is reporting:
> RX packets:113043
> TX packets: 46
> I'm running arpwatch as well as it's show my MAC address "flip-flopping" -
> one moment it's the MAC address of eth0, the next it's eth1...
> Jason Haar
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users