[Dshield] Snort listen on non-address interface

Eric Nevalainen enevala at mirage.skypoint.com
Fri Aug 22 17:58:03 GMT 2003


Well, this applies to BSD rather than linux....but the principle is
the same, so here goes.

Bring the interface up w/o an address:

bash-2.04# more /etc/hostname.fxp1
up

"up" will activate the interface (see man ifconfig), but with no
parameters assigned, all it will do is listen, it can't talk, nor can it
be talked to.

Call snort to listen on the blank interface:

snort -i fxp1 (where fxp1 equals the blank interface)

make sure you are using the -i flag, along with all of the other
flags/startup options that you are using.

You may see either a console, or a syslog message:

Aug 22 13:07:02 ns2 snort: WARNING: OpenPcap() device fxp1 network lookup:
fxp1: no IPv4 address assigned

don't worry about it.....

I'm assuming (*bad thing...I know) that you want to use on interface to
sniff, and one interface to manage the box.

hth

e.
On Fri, 22 Aug 2003, John D. wrote:

> >Hello all,
> >I have a Redhat box with 2 network card and I would like to run snort listen
> >on one interface and another interface use for analyst. On the interface
> >that snort listen, I don't like to asign IP address for it, but when snort
> >start, I cannot capture any packets. How can I have to solve the problem ?
> >Here is my configure
>
> Are you running under Bridge mode?  or as a NAT?
>
> John
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list