[Snort-users] snort daemon to listen to eth2 and eth3 in promiscuous mode

Ayodele Okeowo aymacro at ...11827...
Tue Feb 19 07:24:00 EST 2013


What command do you type when running snort in inline? You will have to
pair both interfaces in order to use both for sniffing.

Paste your command on here and let's see. :)

Ayo


On Tue, Feb 19, 2013 at 6:54 AM, Kaushal Shriyan
<kaushalshriyan at ...11827...>wrote:

>
>
> On Tue, Feb 19, 2013 at 5:20 PM, Ray Caparros <arcy24 at ...11827...> wrote:
>
>> Kaushal,
>>
>> I believe in CentOS you can set your interfaces by running ifconfig eth2
>> promisc. You should be able to do the same thing on your other interface.
>>
>>
> Hi Ray,
>
> Thanks for the quick reply when i check for snort process i can see only
> eth2 and not eth3 and /sbin/ifconfig for eth2 and eth3 is already set to
> PROMISC mode. Please suggest further.
>
> [root at ...2306... ~]# ps aux | grep snort
> snort    17573  0.0  0.2 417000 71064 ?        Ssl  17:21   0:00
> /usr/sbin/snort -A fast -b -d -D -i eth2 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
> root     17579  0.0  0.0  61172   752 pts/0    S+   17:21   0:00 grep snort
> [root at ...2306... ~]# /sbin/ifconfig eth2
> eth2      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0E
>           inet6 addr: fe80::e2db:55ff:fe05:d00e/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:1 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
>           Interrupt:210 Memory:d90a0000-d90b0000
>
> [root at ...2306... ~]# /sbin/ifconfig eth3
> eth3      Link encap:Ethernet  HWaddr E0:DB:55:05:D0:0F
>           inet6 addr: fe80::e2db:55ff:fe05:d00f/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:1 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:64 (64.0 b)  TX bytes:492 (492.0 b)
>           Interrupt:218 Memory:d90d0000-d90e0000
>
> [root at ...2306... ~]#
>
> Regards
>
> Kaushal
>
>
> On Feb 19, 2013 6:14 AM, "Kaushal Shriyan" <kaushalshriyan at ...11827...>
>> wrote:
>>
>>> Hi,
>>>
>>> I have set eth2 and eth3 ethernet interface to promiscuous mode on
>>> CentOS 5.8. is there a way to set it permanently on snort config ->
>>> /etc/snort/snort.conf or do i need to edit any configuration file? Please
>>> suggest.
>>>
>>> Regards,
>>>
>>> Kaushal
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130219/dbcee544/attachment.html>


More information about the Snort-users mailing list