[Snort-users] Snort DUAL nics

Tom Sevy tsevy at ...1701...
Thu Apr 5 07:47:33 EDT 2001


Will the dual nics will be on a single lan segment (as in a switched
environment where you need multiple 'probes' to see all the traffic in a
single lan segment)?

If yes, you will need to make a mod to the if_ether.c to get rid of messages
from the kerel complaining about seeing a MAC address on multiple
interfaces.


-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: Thursday, April 05, 2001 1:56 AM
To: Ryan Russell
Cc: Erik Fichtner; Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort DUAL nics


Ryan Russell wrote:

> I'm familiar with the read-only cables, but I was really more curious
> about whether that setup was safe or not.. not because I would
> neccessarily do it that way, but because other people probably do.
> 
> I also don't think the read-only cable will help, as any replies would be
> going out the interface that does have an IP address.

You can always tune the necessary kernel parameters to drop
broadcasts... In FBSD, I believe this would be 

sysctl -w net.inet.icmp.bmcastecho=0

and

sysctl -w net.inet.icmp.maskrepl=0


Of course at this point this is all getting a bit silly.



--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
                             -- Ted Turner

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list