Snort by default sets your interface card to promiscuous mode. You can verify
this by looking at 'ifconfig' output.
eth0 Link encap:Ethernet HWaddr 00:E0:7D:79:01:25
inet addr:XX.XX.XX.XX Bcast:255.255.255.255 Mask:255.255.254.0
UP BROADCAST RUNNING PROMISC MTU:1500 Metric:1
RX packets:1882801 errors:0 dropped:0 overruns:0 frame:0
TX packets:1704205 errors:8 dropped:0 overruns:0 carrier:16
collisions:7247 txqueuelen:100
Interrupt:10 Base address:0xe000
UP BROADCAST RUNNING ||[PROMISC]|| etc...
If you don't want snort running in promisc mode you can set this with the -p
option.
Another way of verifying your interface is in promisc mode is to look at your
/var/log/messages file for kernel message
"Mar 3 04:07:06 kid_natas kernel: device eth0 entered promiscuous mode
Mar 3 04:07:15 kid_natas kernel: device eth0 left promiscuous mode
"
cheers
xbud
------------------------------------
[EMAIL PROTECTED]
[EMAIL PROTECTED]
------------------------------------
