[Snort-users] OBSD / PROMISCUOUS

Sean Kiewiet SKiewiet at ...13511...
Mon Sep 19 07:01:25 EDT 2005


Hey all:

 

OBSD3.7

SNORT2.3.3

 

I have a machine with 4 nics running 4 instances of snort:

 

/usr/local/bin/snort -u sguil -g sguil -l /nsm/em0 -c
/etc/snort/em0.snort.conf -U -A none -m 122 -i em0 -D
/usr/local/bin/snort -u sguil -g sguil -l /nsm/em1 -c
/etc/snort/em1.snort.conf -U -A none -m 122 -i em1 -D
/usr/local/bin/snort -u sguil -g sguil -l /nsm/em2 -c
/etc/snort/em2.snort.conf -U -A none -m 122 -i em2 -D
/usr/local/bin/snort -u sguil -g sguil -l /nsm/em3 -c
/etc/snort/em3.snort.conf -U -A none -m 122 -i em3 -D

 

One of the 4 nics has an ip address, the others do not.  

When I start up the 4 instances of snort, the nic (em0) with the ip
address shows up in promiscuous mode, the others do not.

 

# ifconfig -a

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224

        inet 127.0.0.1 netmask 0xff000000

        inet6 ::1 prefixlen 128

        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8

em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

        address: 00:04:23:bd:ab:d6

        media: Ethernet autoselect (1000baseT full-duplex)

        status: active

        inet 10.1.1.3 netmask 0xffffff00 broadcast 10.1.1.255

        inet6 fe80::204:23ff:febd:abd6%em0 prefixlen 64 scopeid 0x1

em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500

        address: 00:04:23:bd:ab:d7

        media: Ethernet autoselect (1000baseT full-duplex)

        status: active

em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500

        address: 00:14:22:0f:84:2b

        media: Ethernet autoselect (1000baseT full-duplex)

        status: active

em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500

        address: 00:14:22:0f:84:2c

        media: Ethernet autoselect (100baseTX full-duplex)

        status: active

pflog0: flags=0<> mtu 33224

pfsync0: flags=0<> mtu 2020

enc0: flags=0<> mtu 1536

#

 

How do I get the other 3 ip-less nics to run in promiscuous mode in
OBSD?

 

Any help would be appreciated.

 

Sean

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050919/9930e77a/attachment.html>


More information about the Snort-users mailing list