[Snort-users] no ip on interface?

Erek Adams erek at ...577...
Thu Sep 12 10:16:05 EDT 2002

On Thu, 12 Sep 2002, T.Shaw wrote:

> this might be a stupid question.. but here goes..I have snort 1.8.7 up and
> running loggin to a pgsql database. I haven't installed ACID as of yet. I
> have configured snort to look at all traffic at an interface that currently
> doesnt have an ip assigned to it. Basically the interface is just up ( this
> is a linux box with two interfaces on it)  What im wondering is even tho i
> have no ip on the interface, will snort still be able to dump alerts and
> data into the database? Using a normal sniffer (ethereal, tcpdump) i can
> view the traffic on the interface by specifying the (usually) the -i
> parameter.  If i gave snort a smiliar parameter.. everything should be fine
> correct? Would this screw up reporting and alerts?

If I'm reading your question correctly:  No.

If you box only has one interface and that intercface has no IP, you can't
send any data out.  W/O the three way handshake, it's not going to setup the
connection, and with no IP the packets are missing a important bit of info. :)

Add a second interface, place it on a backend net and have your console
sitting on that.  That way you can remotely manage the box over the net.

If you box already has two interfaces setup like that, then ignore this email.


Erek Adams

