[Snort-users] snort newbie help

Jose Maria Lopez Hernandez jkerouac at ...12346...
Mon Feb 28 09:59:58 EST 2005


El lun, 28-02-2005 a las 11:30 -0500, Guillermo Padilla escribió:
> Hi,
> 
> I just recently installed snort on RH9.0 with apache-myslq-php-acid
> etc.. The front end of the snort seems to be working fine. 
> 
> The server that snort is installed on has 5 interfaces but 4 will be
> used as taps.  I'm having problems figuring out how to get snort to only
> listen on just those 4 interfaces.  If I set up my startup script to
> iface=any it only starts looping localhost alerts.  If I add iface=eth1
> it looks like its seeing traffic on that interface.  Right now I've only
> plugged all interfaces onto a hub where my windows machine is also plug
> to the the uplink port is connected to a switch which in turns goes out
> to the cloud.

You can do channel bonding of the interfaces you want the snort
daemon to listen to and then use the bonded interface in the
snort script.

> I want to see if I can see the traffic which is happening on my windows
> machine.
> 
> All the interfaces do not have ip address except eth0.  
> 
> Can anyone point me into the right derection?
> 
> Regards,
> 
> -Guillermo

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"






More information about the Snort-users mailing list