[Snort-users] Snort DUAL nics
tsevy at ...1701...
Thu Apr 5 07:47:33 EDT 2001
Will the dual nics will be on a single lan segment (as in a switched
environment where you need multiple 'probes' to see all the traffic in a
single lan segment)?
If yes, you will need to make a mod to the if_ether.c to get rid of messages
from the kerel complaining about seeing a MAC address on multiple
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: Thursday, April 05, 2001 1:56 AM
To: Ryan Russell
Cc: Erik Fichtner; Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort DUAL nics
Ryan Russell wrote:
> I'm familiar with the read-only cables, but I was really more curious
> about whether that setup was safe or not.. not because I would
> neccessarily do it that way, but because other people probably do.
> I also don't think the read-only cable will help, as any replies would be
> going out the interface that does have an IP address.
You can always tune the necessary kernel parameters to drop
broadcasts... In FBSD, I believe this would be
sysctl -w net.inet.icmp.bmcastecho=0
sysctl -w net.inet.icmp.maskrepl=0
Of course at this point this is all getting a bit silly.
s h a w n m o y e r
shawn at ...1184...
"Nuclear war would really set back cable."
-- Ted Turner
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users