Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » BSD » OpenBSD - Ethernet Tap and snort ...

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

OpenBSD - Ethernet Tap and snort ...


Posted by Mik777 on December 20, 2006 10:45:22

Hi,

I'm actually trying to setup a box with OpenBSD and snort to act has a NDIS on my LAN. I'm having issues with the ethernet tap I'm using. I followed the guide provided by snort.org ( http://www.snort.org/docs/tap/ ). Then, I connected my firewall and my cisco switch to the host ports. Everything works. However, when it comes to listen on the port A and B, nothing so far. I configured 2 NICs within a trunk on my OpenBSD to be able to listen to incoming and outgoing traffic. I'm using straight cables from the NIDS to the ethernet tap. There is not link light on my NICs.

Is this the way to setup a NIDS on OpenBSD using Ethernet tap? Using trunk ?

I know that I can use OpenBSD as a bridge to bypass that config, but I would like to use ethernet tap instead.

Thank you for your answers,

M.B.

Posted by mcoy3 on April 12, 2007 04:30:42

http://www.vorant.com/nsmwiki/index.php?title=OpenBSD_Network_Tap

Posted by Mik777 on April 13, 2007 03:42:44

Hi,

Thank you very much for the link. It was very straightforward. But I have a little problem right now. It says in the wiki that we can connect a straight cable from the span port up to the collector. There is traffic on the span port on the bridge but nothing so far on the collector's interface. I was thinking that it would be a problem with the cable. I changed it and I tried with a cross cable as well: Nothing!

At the end of the wiki, this command is displayed :

# ifconfig nfe0 promisc -arp up

But there is no "promisc" keyword for ifconfig on Open ... I tried but it's giving me an error saying that this parameter is not accepted. Is there something wrong with that ?

Thank you,

M.B.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.