[Snort-users] passive monitoring - How?

Jason Haar Jason.Haar at ...294...
Wed Jan 24 14:53:40 EST 2001


On Tue, Jan 23, 2001 at 08:16:42PM -0700, Kevin.Brown at ...1022... wrote:
> Under linux I don't have an ip address for my interface.  Under
> /etc/sysconfig/network-scripts/ I made sure that the ifcfg-ethX file was empty
> and then just did:
> # ifconfig ethX up
> 

If this box has two cards, you may want to do a little more work. Under
Linux, ARP replies are broadcast out of ALL interfaces - not just
the one that has the IP address in question. So you can "see" evidence of
your second unnumbered ethernet card flying around you network.

I use following /proc entries to silence my eth1 card.

echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route 
echo 0 > /proc/sys/net/ipv4/conf/eth1/shared_media
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list