Re: [Snort-users] Running snort in daemon mode disables network connection

From: Erek Adams <erek(at)snort.org>
Date: Fri Feb 28 2003 - 18:22:56 EST

On Fri, 28 Feb 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> I am running snort-1.9.0 on my redhat linux 8.0 laptop. I am using my

Easy enough.

> I am not using other network interface,eth0. It is just left unconnected

No problem. Forget about it.

> When I am running snort in daemon mode, I am losing my network

It's not Daemon mode that is giving you grief--It's promiscuous mode that is.

> What is this promiscuous mode?

To sort of quote "The Red Book" [0]....

'Ethernet is sort of like a "polite" dinner party. If you want to talk to someone, you write the message on a bit of paper, fold it, and on the outside you write the name of the recipient. Everyone looks at the address, but not at what's inside.'

Promiscuous mode is different. You _read_ all the bits of paper no matter who it is for.

Since you just want to look for scans and attacks that are headed to you, you don't need promisc mode. You just want what's destined for your interface.... Hence, no need of promiscuous mode.

Simply start Snort with the "-p" flag and it should work fine.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

[0] http://www.amazon.com/exec/obidos/tg/detail/-/0131510517/qid=1046473814/sr=1-2/ref=sr_1_2/104-8282033-5068702?v=glance&s=books

(URL may wrap)

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 18:41:59 2003