[Snort-users] Re: Snort-users digest, Vol 1 #3997 - 11 msgs

Nigel Houghton nigel at ...1935...
Tue Feb 24 09:47:15 EST 2004


On  0, I think snort-users-request at lists.sourceforge.net wrote:
> Today's Topics:
> 
>    1. Re: Snort on Linux with no IP (Yonah Russ)
> --__--__--
> 
> Message: 1
> Date: Sun, 22 Feb 2004 23:34:30 +0200
> From: Yonah Russ <yonah at ...11275...>
> To: Brian McNeilly <bmcneilly at ...9344...>
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort on Linux with no IP
> 
> eth1 is the name for the second network card in a BSD or Linux machine. 
> Each network card is called eth for ethernet  and is number from 0 and 
> up to however many network cards you have (minus 1).

eth* applies to Linux machines, BSD is different. For example, FreeBSD uses the driver to 
identify the interface, so for example, an Intel card will show up as fxp0
or fxp1 etc., an Intel pro/1000 GigE card will show up as gx0, gx1 etc.. 3Com
cards show as xl0, xl1 etc...

The main thing is that if you have two different cards in a machine, say an
Intel and a 3Com they will show as fxp0 and xl0 and not fxp0 and xl1.

> It seems your machine either has only one network card or it may not 
> have the proper driver modules loaded.

This may be true, but we would need to know the OS to go any further.

> If you only have one network card, you could try using eth0 instead but 
> you obviously won't be able to use regular network from that computer.

Only if you are running in promiscuous mode.

> Hope this helps.
> Yonah
> 
> --
> Yonah Russ - Mirimar Networks
> http://www.mirimar.net/
> 
> Brian McNeilly wrote:
> 
> > Hi,
> >
> > I apologise in advance for the newbie question, which undoubtedly has 
> > been discussed to death already. Before you send me to the FAQ, here 
> > is the relevant snippit from there:
> >
> > 3.1 How do I setup snort on a 'stealth' interface?
> >
> >   *BSD and Linux:
> >
> >     ifconfig eth1 up

Which OS are you using?

> > OK, so I do this and the response I get is: eth1: unknown interface: 
> > No such device
> >
> > Can anyone elaborate on the rather limited response found in the FAQ 
> > for this issue? Is seems to me that many people have asked about this 
> > before, but there never has been an appropriate explanation put into 
> > the FAQ (I've just spent the entire afternoon reading mail archives to 
> > no avail). Sorry if I'm just stupid, but the FAQ isn't really helpful 
> > on this issue.
> >
> > Cheers,
> >
> > Brian McNeilly
> >

-------------------------------------------------------------
Nigel Houghton  Research Engineer   Sourcefire Inc.
            Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-users mailing list