[Snort-users] Snort.conf & stealth mode

Erek Adams erek at ...950...
Fri May 23 17:35:05 EDT 2003


On Fri, 23 May 2003, francesco wrote:

> My question is slightly different:
> - Is it required any special setting of the VAR interface address (for a
> stealth mode card) or just run it the way it is?

I'm assuming you mean the value of HOME_NET.  :)

HOME_NET should be set to the value of the network that you are watching.

> -BTW is it necessary to specify the promisc option for the ifconfig
> activation command?

No.  Not unless you're using a Linux 2.4.?? (I can't recall)...  Promisc
mode is a flag in that kernel.  Once you turn it set the bit, the next
time you set that bit, it's turned off.

> I am confused, as there is very little about that (also the FAQ 3.1 & 3.29
> goes straight through this but the snort.conf file is not mentioned at all).

The info in snort.conf usally only has info that pertains to operation of
Snort.  Setting the interface to promisc is something that deals with the
Network/OS.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list