[Snort-users] Configuration issue, Part II

John Berkers berjo at ...827...
Tue Sep 25 05:48:02 EDT 2001

I believe that this particular issue only applies to PPP interfaces.
Ethernet sniffing works quite fine from behind an ipchains firewall.  That's
exactly the way I have a couple of sensors configured, and I get traffic on
a completely blocked interface.

It is a tad confusing when different interface types exhibit different
behaviour with respect to promiscuity.  Promiscuity doesn't really apply in
the case of PPP since by definition only traffic intended to go over a PPP
link will arrive at a PPP interface.

Now where's that coffee....


John Berkers

I try to take life one day a at a time,
but sometimes several days attack me at once.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Monday, 24 September 2001 23:34
To: Greg Sarsons
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue, Part II

On Mon, 24 Sep 2001, Greg Sarsons wrote:

> Okay I've got snort running collecting a big binary dump file and not
> doing anything else but it is on a machine running iptables (the dump
> file will be looked at latter on another machine).  So is it the case
> that much of the traffic will be killed by iptables even if snort is
> running in promiscuous mode?


> Does that mean that I have to take down my iptables firewall to collect
> everything?

Yes.  To make it simpler, put snort on a box by itself.  Set it outside your
firewall with a recieve only cable and no IP on the interface.  All will be
good.  :)

Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list