[Snort-users] snort and demarc frontend and Promiscuous mode

Erek Adams erek at ...577...
Wed Sep 4 15:14:12 EDT 2002

On Wed, 4 Sep 2002, Lavin, John wrote:

> Do I need two network cards in order to run snort in Promiscuous mode?


> I am running this on a linux box with one nic card right now. So currently
> if I do a nmap scan from another linux box right at the box with snort
> loaded on it....
>  nmap -O (ip address of the box)
> It will trigger the alerts.
> However If I scan another pc plugged into the same hub it does not report
> finding anything.
> so I think I need to adjust the mode or install another nic card then setup
> the Promiscuous mode.

Nope.  Just read the FAQ.

>  Can anyone please let me know how to do this or point me to the correct
> documentation. I know how to put in the nic and set it up, I just want to
> find out what the interfaces are labeled from snorts point of view and know
> what options I need to add to snort when I start it up.

ifconfig -a

Will show you all interfaces.  Snort uses the same names as the OS.

If you are using a 'dual speed hub', then check out the FAQ.


If you are using a switch, setup SPAN (Cisco's) or use the 'monitor port'.

Hope that helps!

Erek Adams

More information about the Snort-users mailing list