[Snort-users] Snort Doesn't Set Second NIC Promiscuous

Ken Schweigert ken at ...4067...
Mon Jul 15 13:37:05 EDT 2002


That fixed it!

Thank you very much.

-- 
-Ken Schweigert, Padawan Network Administrator
Byte Productions, LLC
http://www.byte-productions.com


On Mon, Jul 15, 2002 at 02:03:57PM -0500, DataShark wrote:
> snort -i <if name>
> 
> 	DS
> 
> On Mon, 15 Jul 2002 14:22:53 -0400
> Ken Schweigert <ken at ...4067...> wrote:
> 
> > I've been happily running Snort-1.8.6 on OpenBSD-3.0 and watching
> > one subnet.  I wanted to start watching another subnet so I put another
> > NIC in the box, gave it an IP in that subnet, copied my snort.conf and
> > changed the HOME_NET, and started it.  Everything running great, or so
> > I had thought.
> > 
> > After a few days I noticed the only thing snort alerted on, on the new
> > subnet, was only requests to it's IP.  A little digging showed that
> > the second NIC wasn't in promiscuous mode.
> > 
> > I must admit that I'm still new to OpenBSD, but not too new to Unix (4
> > or 5 years with Linux) and the only way I've been able to get it into
> > promisc is by using tcpdump.
> > 
> > Any ideas on how to get this second NIC to snort?
> > 
> > Thanks.
> > -- 
> > -Ken Schweigert, Padawan Network Administrator
> > Byte Productions, LLC
> > http://www.byte-productions.com
> > ---------------------------------------------------------------------
> > bash-2.05# ifconfig -A
> > fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> >         media: Ethernet autoselect (100baseTX full-duplex)
> >         status: active
> >         inet xx.xx.xx.62 netmask 0xffffffe0 broadcast xx.xx.xx.63
> > fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >         media: Ethernet autoselect (100baseTX full-duplex)
> >         status: active
> >         inet yy.yy.yy.93 netmask 0xffffffe0 broadcast yy.yy.yy.95
> > 
> > bash-2.05# /usr/local/bin/snort -V
> > 
> > -*> Snort! <*-
> > Version 1.8.6 (Build 105)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > 
> > bash-2.05# ps ax | grep snort
> >   PID TT   STAT      TIME COMMAND
> > 24520 ??  Ss      4:11.44 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp1 -A full -D 
> >  4919 ??  Ss      4:21.06 /usr/local/bin/snort -d -s -c /etc/snort/snort.conf.fxp0 -A full -D
> > 
> > bash-2.05# diff snort.conf.fxp0 snort.conf.fxp1
> > 50c50
> > < var HOME_NET [xx.xx.xx.32/27]
> > ---
> > > var HOME_NET [yy.yy.yy.64/27]
> > 
> > 
> > bash-2.05# ifconfig fxp1 promisc
> > ifconfig: promisc: bad value
> > bash-2.05#
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list