[Dshield] Snort listen on non-address interface

Nguyen Nhu Hao nhuhao at vnuhcm.edu.vn
Sat Aug 23 08:47:12 GMT 2003


Hello all,
I have a Redhat box with 2 network card and I would like to run snort listen
on one interface and another interface use for analyst. On the interface
that snort listen, I don't like to asign IP address for it, but when snort
start, I cannot capture any packets. How can I have to solve the problem ?
Here is my configure

[root at linhcanh snort]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:60:B0:67:9E:9B
          inet addr:172.16.5.100  Bcast:172.16.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5892 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2792 errors:0 dropped:0 overruns:319 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:11 Base address:0x4800

eth1      Link encap:Ethernet  HWaddr 00:02:A5:40:7E:7A
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0x4840

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:256 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

[root at linhcanh snort]#

And snort script

case "$1" in
  start)
        echo -n "Starting snort: "
       cd /var/log/snort
        daemon /usr/local/bin/snort -i eth1 -d -D -A full -l
/var/log/snort -c /etc/snortd/snort.conf
        touch /var/lock/subsys/snort
        echo
        ;;


Thank you in advances
Nguyen Nhu Hao

Nguyen Nhu Hao






More information about the list mailing list