Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » 2 nics on snort

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

2 nics on snort


Posted by duel on June 29, 2006 12:19:36

I have 2 nics in my centos 4.3 linux server, running snort 2.4.5. It is working as it should. I'd like to have snort use the 1st nic for management and the 2nd nic for sniffing.


My /etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.26.255
HWADDR=00:0C:29:EA:59:32
IPADDR=192.168.26.54
NETMASK=255.255.255.0
NETWORK=192.168.26.0
ONBOOT=yes
TYPE=Ethernet

My /etc/sysconfig/network-scripts/ifcfg-eth1:

DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet


How do I config snort.conf to use eth0 for management and eth1 for sniffing? Please help.





Posted by duel on June 30, 2006 06:56:53

From what I've read, I'm to edit /etc/init.d/snort

from:

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"

to:

BASE=snort
DAEMON="-D"
INTERFACE="-i eth1"
CONF="/etc/snort/snort.conf"

OR:

BASE=snort
DAEMON="-D"
INTERFACE="eth1"
CONF="/etc/snort/snort.conf"


When I do either, snort fails to start. Don't I also need to edit /etc/snort/snort.conf??



Posted by phpfreak on August 08, 2006 11:00:22

Why not just bridge them using bridge-utils and then give it a public IP? This way you can deploy your snort box transparently.

Something like this:

yum install bridge-utils

brctl addbr br0
brctl addif eth0
brctl addif eth1

Then, bring up the bridge:

ifconfig eth0 0.0.0.0 up promisc
ifconfig eth1 0.0.0.0 up promisc
ifconfig br0 PUBLIC_IP netmask 255.255.255.0 up

Then add the default route:

route add default gw GATEWAY_HERE dev br0

Then I do this too:

echo "1" > /proc/sys/net/ipv4/ip_forward


Now, uplink one ethernet to your internet, the other to a switch and you can plug devices into the switch. The IP address you use on the bridge is simply for management. The snort device will be completely transparent and you won't even see it on any traceroutes, but you can SSH into it and start managing it, or install BASE / ntop and manage it through the web.

Keep in mind, your iptables rules to drop an IP should go into the FORWARD chain.


Good luck.


Posted by duel on August 10, 2006 14:14:21

good info! thanks, ill try
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.