[Snort-users] snort daemon to listen to eth2 and eth3 in promiscuous mode

Ayodele Okeowo aymacro at ...11827...
Tue Feb 19 08:02:59 EST 2013


If you only have 2 interfaces, you will need 3 interfaces where one
interface will have an IP address configured on it for management (no
promisc) and the other 2 will not have any IP address configuration on them
and they will need to be in Promisc modes.

if you eventually have 3 interfaces up and configured, use the below
command as referenced in Snort Manual.

snort -c /etc/snort/snort.conf -u snort -g snort --daq afpacket -i eth2:eth3 -Q

Replace the interfaces with the ones that corresponds with your interfaces.
Hope this helps.
{read more on DAQ modes and types -
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html}

Ayo


On Tue, Feb 19, 2013 at 7:54 AM, Ayodele Okeowo <aymacro at ...11827...> wrote:

> Ok, to run Snort in inline mode your snort command will look different.
> How many interfaces do you have on your box?
>
> Ayo
>
>
> On Tue, Feb 19, 2013 at 7:29 AM, Kaushal Shriyan <kaushalshriyan at ...11827...
> > wrote:
>
>>
>>
>> On Tue, Feb 19, 2013 at 5:54 PM, Ayodele Okeowo <aymacro at ...11827...>wrote:
>>
>>> What command do you type when running snort in inline? You will have to
>>> pair both interfaces in order to use both for sniffing.
>>>
>>> Paste your command on here and let's see. :)
>>>
>>> Ayo
>>>
>>>
>> Thanks Ayo for the quick reply and i start snort using init script on
>> CentOS 5.8 with the below mentioned details
>>
>> [root at ...2306... ~]# /etc/init.d/snortd status
>> snort (pid 17573) is running...
>> [root at ...2306... ~]# ps aux | grep snort
>> snort    17573  0.0  0.2 417000 71064 ?        Ssl  17:21   0:00
>> /usr/sbin/snort -A fast -b -d -D -i eth2 -u snort -g snort -c
>> /etc/snort/snort.conf -l /var/log/snort
>> root     17647  0.0  0.0  61172   752 pts/0    S+   17:58   0:00 grep
>> snort
>> [root at ...2306... ~]#
>>
>> Regards
>>
>> Kaushal
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130219/557f5692/attachment.html>


More information about the Snort-users mailing list