[Snort-users] passive monitoring - How?

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Wed Jan 24 15:01:48 EST 2001


Or use the 2.2 kernel ipchains stuff:

ipchains -A output -i ethX -j REJECT

where X is the number of the passive interface.  I haven't seen a single
packet go out that interface yet.

> > Under linux I don't have an ip address for my interface.  Under
> > /etc/sysconfig/network-scripts/ I made sure that the ifcfg-ethX file was empty
> > and then just did:
> > # ifconfig ethX up
> > 
> 
> If this box has two cards, you may want to do a little more work. Under
> Linux, ARP replies are broadcast out of ALL interfaces - not just
> the one that has the IP address in question. So you can "see" evidence of
> your second unnumbered ethernet card flying around you network.
> 
> I use following /proc entries to silence my eth1 card.
> 
> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route 
> echo 0 > /proc/sys/net/ipv4/conf/eth1/shared_media
> echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list