[Snort-users] Re: Snort on linux with multiple network cards

Peter Bates peter.bates at ...79...
Tue Jan 23 16:06:24 EST 2001

Hello again all...

I would like to thank everyone who helped me out
in my hour of stupidity, and finally assisted
with me having a working, snorting setup.

To recap... I was being driven mad by the fact
that two identical (Intel EtherPro100) NICs
in a machine appeared to be totally missing any
interesting traffic during testing on a simple
hub-based setup under Linux (mangled RH 6.2 with 2.4 kernel)

One NIC had a fixed IP address fully plumbed
as a 'management' port behind our firewall
for testing, and the other was to be just brought
up 'addressless' in promisc. mode. as described multiple
times in the FAQ, on this list, etc. etc.

Testing this on a simple 4-port 10/100 hub, I had
the snort box plumbed into 1 port, and two other
systems having off the other remaining possible ports.

Basically, running even a slim set of rules, snort saw
the ftp traffic to a Windows NT box (1 of the 2) running
at 100Mb/s, triggering the 'null' user/password rule,
but failed to see any traffic directed to the other box,
an aging Sparc running RH 6.x, but only at 10Mb/s...

Now the snort box is 'in its rightful place' at a mirrored/spanned
port listening to the traffic coming from our external link,
I happily see the rule being triggered for either box...

Thanks again all for their help... if anyone wants to tell me
"Well, that's an obvious problem..." after this, I'd be interested
to hear the explanation!


Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362

More information about the Snort-users mailing list