[Snort-users] Snort Doesn't Set Second NIC Promiscuous

Ken Schweigert ken at ...4067...
Mon Jul 15 11:22:04 EDT 2002


I've been happily running Snort-1.8.6 on OpenBSD-3.0 and watching
one subnet.  I wanted to start watching another subnet so I put another
NIC in the box, gave it an IP in that subnet, copied my snort.conf and
changed the HOME_NET, and started it.  Everything running great, or so
I had thought.

After a few days I noticed the only thing snort alerted on, on the new
subnet, was only requests to it's IP.  A little digging showed that
the second NIC wasn't in promiscuous mode.

I must admit that I'm still new to OpenBSD, but not too new to Unix (4
or 5 years with Linux) and the only way I've been able to get it into
promisc is by using tcpdump.

Any ideas on how to get this second NIC to snort?

Thanks.
-- 
-Ken Schweigert, Padawan Network Administrator
Byte Productions, LLC
http://www.byte-productions.com
---------------------------------------------------------------------
bash-2.05# ifconfig -A
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet xx.xx.xx.62 netmask 0xffffffe0 broadcast xx.xx.xx.63
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet yy.yy.yy.93 netmask 0xffffffe0 broadcast yy.yy.yy.95

bash-2.05# /usr/local/bin/snort -V

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...1935..., www.snort.org)

bash-2.05# ps ax | grep snort
  PID TT   STAT      TIME COMMAND
24520 ??  Ss      4:11.44 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp1 -A full -D 
 4919 ??  Ss      4:21.06 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp0 -A full -D

bash-2.05# diff snort.conf.fxp0 snort.conf.fxp1
50c50
< var HOME_NET [xx.xx.xx.32/27]
---
> var HOME_NET [yy.yy.yy.64/27]


bash-2.05# ifconfig fxp1 promisc
ifconfig: promisc: bad value
bash-2.05#





More information about the Snort-users mailing list