[Snort-users] Snort and Promiscuos Mode

Frontgate Lab mdiwan at ...200...
Tue Oct 9 09:41:14 EDT 2001

Hello everyone.. Just a few quick questions about Snort 
and Promiscuous mode on an Ethernet NIC. 

What are the consequenses of NOT enableing Promiscuos mode on the NIC
and still running snort on it?

IE what Situations would I be able to see traffic that is pertinent and
in what situations would i not see something i should be watching out

Most often the environment that Snort runs in 
is Switched sometimes these swithches are Vlan-ed, sometimes the switch
is flat.
It is unusual that the switch mirrors all its traffic to one switch
port..but i can set up environments where this is possible.. what is the
best approach for Snort IDS?

 Does running IDS on a switched port without promiscuos mode have any
advantages for me
 if the IDS is running on a firewall ? 
One of the problems with promiscous mode in some of my environments is
that it seems to suck packets away from thier intended targets,
especially in UDp environs.. has anyone else experienced this?

Are there any drawbacks to running snort on an interface without an
IP?.. ie could i still put it into promiscuous mode if i had to and why
would i want to do that?

Please forgive some of the above redundency in language i simply want to
explain my questions as clearly as possible.

Thank you for any  input to this topic.

Madhav Diwan

Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

More information about the Snort-users mailing list