-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote:
>gentuxx <gentuxx <at> gmail.com> writes: > >>I've set up Solaris systems with multiple NICs, 1 as a >>command-and-control interface, and 1 as a "sniffing" interface. The >>sniffing interface was configured without an IP. > > >Did you partially configure the ethernet port? How does it receive >(listen) to traffic on a flat hub? > > Yeah. Set the ifc to no ip and then brought it up. Then we set up a switch monitoring port to receive all the traffic. Keep in mind this is in an enterprise-level production environment. We weren't just trying to sniff our girlfriends'...traffic. ;-) >>I don't see any reason why this can't be done in gentoo. >>I guess it depends on how "non-detectable" you need to be. > > >Well this is the essence of the method described at: >http://www.linuxjournal.com/article/6222 > >This article is redhat centric, so I was looking for a method >that has been implemented and tested with gentoo.... > >Any further details are welcome. > >James > I don't know of anything specifically. But the setup should be basically the same as in the article, except for the interface config and snort installation. Just use net-cfg eth1 (or whatever) to configure the iface, use 0.0.0.0 if it forces you to put in an IP. ifconfig should also work. Emerge snort, then pick up from there. HTH. If I had a box with 2 NICs I'd test it for you. ;-) - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDVly6LYGSSmmWCZMRAhEaAJ9OKMTgw1+itOYJlJ3jQDeICaV8kgCgs7UG rn/k2An4tKu5H9ztmCbFsUU= =YJ+q -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list
