0

I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode).

  • eth0 = my network card to the WAN
  • eth1 = my internal (virtual) NIC for Snort.

My current Run-Command:

snort -u snort -g snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth1 -l /var/log/snort -Q

How I enable the PROMISC-Mode:

tee /etc/rc.local <<EOF
#!/bin/sh -e
ifconfig eth0 promisc
ifconfig eth1 promisc
exit 0
EOF
chmod +x /etc/rc.local
systemctl start rc-local

Which of the two card do i need to put in promiscuous mode? eth0, eth1 or even both?

Gill-Bates
  • 489
  • 5
  • 17

1 Answers1

1

It depends on what traffic you want to capture. If you want all of the traffic that eth0 and eth1 see, then use -i eth0:eth1.

Cameron
  • 176
  • 3