[Snort-users] no ip on interface?

Michael Boman michael at ...3137...
Thu Sep 12 09:48:06 EDT 2002


On Thu, Sep 12, 2002 at 04:10:47PM +0000, T.Shaw wrote:
> Hello all.. 
> this might be a stupid question.. but here goes..I have snort 1.8.7
> up and running loggin to a pgsql database. I haven't installed ACID as
> of yet. I have configured snort to look at all traffic at an interface
> that currently doesnt have an ip assigned to it. Basically the interface
> is just up ( this is a linux box with two interfaces on it)  What im
> wondering is even tho i have no ip on the interface, will snort still
> be able to dump alerts and data into the database? Using a normal
> sniffer (ethereal, tcpdump) i can view the traffic on the interface by
> specifying the (usually) the -i parameter.  If i gave snort a smiliar
> parameter.. everything should be fine correct? Would this screw up
> reporting and alerts?

First bring up your sniffer interface with:

/sbin/ifconfig eth1 up

For snort use '-i' to specify interface ('-i eth1').

Snort doesn't need an IP on the interface it sniffs on. Most of my snort
installations are sniffing from a ip-less interface.

Best regards
 Michael Boman

-- 
Michael Boman
Student, Husband, Geek. Not necessary in that order thought.





More information about the Snort-users mailing list