[Snort-users] snort daemon to listen to eth2 and eth3 in promiscuous mode

Ayodele Okeowo aymacro at ...11827...
Tue Feb 19 09:42:11 EST 2013


Nice! I will assume you are using the bond0 interface as your management
interface and it's described in your snort config file.

You shouldn't have any problem you just have to change the format of the
command line to the one I pasted earlier.

Ayo


On Tue, Feb 19, 2013 at 8:02 AM, Ayodele Okeowo <aymacro at ...11827...> wrote:

> If you only have 2 interfaces, you will need 3 interfaces where one
> interface will have an IP address configured on it for management (no
> promisc) and the other 2 will not have any IP address configuration on them
> and they will need to be in Promisc modes.
>
> if you eventually have 3 interfaces up and configured, use the below
> command as referenced in Snort Manual.
>
> snort -c /etc/snort/snort.conf -u snort -g snort --daq afpacket -i eth2:eth3 -Q
>
> Replace the interfaces with the ones that corresponds with your
> interfaces. Hope this helps.
> {read more on DAQ modes and types -
> http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html}
>
> Ayo
>
>
> On Tue, Feb 19, 2013 at 7:54 AM, Ayodele Okeowo <aymacro at ...11827...> wrote:
>
>> Ok, to run Snort in inline mode your snort command will look different.
>> How many interfaces do you have on your box?
>>
>> Ayo
>>
>>
>> On Tue, Feb 19, 2013 at 7:29 AM, Kaushal Shriyan <
>> kaushalshriyan at ...11827...> wrote:
>>
>>>
>>>
>>> On Tue, Feb 19, 2013 at 5:54 PM, Ayodele Okeowo <aymacro at ...11827...>wrote:
>>>
>>>> What command do you type when running snort in inline? You will have to
>>>> pair both interfaces in order to use both for sniffing.
>>>>
>>>> Paste your command on here and let's see. :)
>>>>
>>>> Ayo
>>>>
>>>>
>>> Thanks Ayo for the quick reply and i start snort using init script on
>>> CentOS 5.8 with the below mentioned details
>>>
>>> [root at ...2306... ~]# /etc/init.d/snortd status
>>> snort (pid 17573) is running...
>>> [root at ...2306... ~]# ps aux | grep snort
>>> snort    17573  0.0  0.2 417000 71064 ?        Ssl  17:21   0:00
>>> /usr/sbin/snort -A fast -b -d -D -i eth2 -u snort -g snort -c
>>> /etc/snort/snort.conf -l /var/log/snort
>>> root     17647  0.0  0.0  61172   752 pts/0    S+   17:58   0:00 grep
>>> snort
>>> [root at ...2306... ~]#
>>>
>>> Regards
>>>
>>> Kaushal
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130219/a6880a3c/attachment.html>


More information about the Snort-users mailing list