| 1 |
Timothy A. Holmes <tholmes <at> mcaschool.net> writes: |
| 2 |
|
| 3 |
|
| 4 |
> I am working on my snort sensor box which runs gentoo. The setup that I |
| 5 |
> am going to do requires me to have one nic (an intel Pro1000) with no ip |
| 6 |
> on it (it is currently eth0 as the machine is currently set up). I know |
| 7 |
> how to set up the nic in the /etc/conf.d/net file but making it have no |
| 8 |
> ip is a little different. Snort will put the nic in promiscous mode to |
| 9 |
> capture packets |
| 10 |
|
| 11 |
|
| 12 |
Piece of cake, for a stealth sniffer. it allows you to sniff the |
| 13 |
local ethernet traffic, yet the system is undetectable. You will |
| 14 |
not be abble to modulate data out of this port, just receive data |
| 15 |
in promiscuous mode, into the eth0 port. |
| 16 |
|
| 17 |
for example |
| 18 |
ifconfig eth0 inet 0.0.0.0 |
| 19 |
|
| 20 |
Works like a charm with wireshark(ethereal). If you need to ssh out |
| 21 |
of the same machine, just install a second ethernet card |
| 22 |
and set it up normally. I put this sniffier our my outbound(cable) |
| 23 |
port to sniffer the outside of the firewall all the time. Works |
| 24 |
like a charm! If you want to make it permanent, just |
| 25 |
put the settins in /etc/conf.d/net |
| 26 |
|
| 27 |
also if, you have multiple ethernet ports in the machine, |
| 28 |
you may need to tweek the routing tables (netstat -nr). |
| 29 |
|
| 30 |
|
| 31 |
hth, |
| 32 |
|
| 33 |
James |
| 34 |
|
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-user@g.o mailing list |
Archives