[Snort-users] passive monitoring - How?

Jason Haar Jason.Haar at ...294...
Thu Jan 25 02:55:09 EST 2001


On Wed, Jan 24, 2001 at 01:01:48PM -0700, Kevin.Brown at ...1022... wrote:
> Or use the 2.2 kernel ipchains stuff:
> 
> ipchains -A output -i ethX -j REJECT
> 
> where X is the number of the passive interface.  I haven't seen a single
> packet go out that interface yet.

Well it can't have > 1 ethernet card then :-) My whole reason for those
sysctrl entries was because ipchains only blocks IP packets (sort of obvious
when you say it out loud ;-) Packets like ARPs/etc are ignored by ipchains...
If you want REAL quiet - then you need the "/proc" changes as well as
explicit ipchain blocks [I am being totally anal here of course - but why
not ;-)]

> > echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
> > echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
> > echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route 
> > echo 0 > /proc/sys/net/ipv4/conf/eth1/shared_media
> > echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> > 

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list