Gill-Bates

Asked: 2022-02-15 02:57:53 +0800 CST2022-02-15 02:57:53 +0800 CST 2022-02-15 02:57:53 +0800 CST

Snort DAQ: which NIC should run in promiscuous mode?

772

I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode).

eth0 = my network card to the WAN
eth1 = my internal (virtual) NIC for Snort.

My current Run-Command:

snort -u snort -g snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth1 -l /var/log/snort -Q

How I enable the PROMISC-Mode:

tee /etc/rc.local <<EOF
#!/bin/sh -e
ifconfig eth0 promisc
ifconfig eth1 promisc
exit 0
EOF
chmod +x /etc/rc.local
systemctl start rc-local

Which of the two card do i need to put in promiscuous mode? eth0, eth1 or even both?

1 Answers

Voted

Best Answer

Cameron
2022-02-15T21:40:54+08:002022-02-15T21:40:54+08:00
It depends on what traffic you want to capture. If you want all of the traffic that eth0 and eth1 see, then use -i eth0:eth1.
1

Web Analytics Made Easy - Statcounter