[Snort-users] Snort.conf & stealth mode

Demetri Mouratis dmourati at ...3877...
Fri May 23 11:44:05 EDT 2003

See comments inline:
On Fri, 23 May 2003, francesco wrote:

> Recently (April 03) someone asked how to start the OS and Snort in stealth
> mode.
> My question is slightly different:
> - Is it required any special setting of the VAR interface address (for a
> stealth mode card) or just run it the way it is?

No special setting is required.  Bring the interface up, then point your
snort instance at that interface with the -i option.

# ifconfig eth1 up
# snort -dev -i eth1

> -BTW is it necessary to specify the promisc option for the ifconfig
> activation command?

No, snort will put the interface into promiscuous mode by default.  One
caveat I've noticed with Linux (2.4.x kernels) is that you cannot have two
snort instances on the same interface in promiscuous mode automatically.
In this case, use the -p option to snort at run time and manually put the
interface into promiscuous mode with:

# ifconfig eth1 promisc

> I am confused, as there is very little about that (also the FAQ 3.1 & 3.29
> goes straight through this but the snort.conf file is not mentioned at all).
> Thanks to anyone is going to answer.
> Francesco
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Demetri Mouratis
dmourati at ...3878...

More information about the Snort-users mailing list