[Snort-users] Re: Snort & Acid

Erek Adams erek at ...950...
Wed May 21 07:03:14 EDT 2003


On Tue, 20 May 2003 Colin.Slevin at ...9238... wrote:

> I am having another problem , I have two network cards on my machine one
> for sniffing and on for normal network activity . When I type snort -W I
> get these two NIC cards which are correct . But the card I want to sniff is
> the second but snort is using the first even when I specify the second in
> the snort .conf .

Well...  With out knowing how you're starting Snort or what you have in
your snort.conf file, I'm guessing...  Snort can only sniff on one
interface at a time.  You'll have to run two instances if you want to
sniff on two different cards.  If you have the -i <interface> parameter
usee on the command line it will override anything set in the snort.conf.
So try starting with -i 2 instead of -i 1 and having the second interface
in the snort.conf file.  Is the second interface connected to a DSL or
Cable modem?  If it's any type of NDIS link then you're out of luck as the
current versions of Winpcap no longer support dialup adapters.

> What do I do to change the situation . I know that one
> should be in promiscious mode but all traffic seems to be directed through
> this card .

I'm sorry, but that doesn't make much sense.  'This card?'  _Which_ card
are you talking about?  What do you mean by 'all traffic?'

> I using snort on Win2k with mysql and acid and obviously php.
> \Device\NPF_{37B8DFB9-9F3C-4585-BF8C-F65A3422564B} (Intel 8255x-based
> Integrated Fast Ethernet) normal traffic  (IP 10.0.0.46)
> \Device\NPF_{185E1F8A-0E33-4774-9193-076063E4A164} (Compac
> Ethernet/FastEthernet or Gigabit NIC) promiscious mode (IP 10.0.0.47) I
> don't think that this should have an IP address so if you can also tell me
> how to get this to sniff without an IP address that would great too ...

Check the 2.0 FAQ, #3.1

The 2.0 FAQ is located in the /doc directory of the tarball.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list