Snort mailing list archives

Re: Multiple IF

From: Phil Wood <cpw () lanl gov>
Date: Sat, 18 Aug 2001 23:28:14 -0600

I don't know about 0.6.2 pcap (but, I'm a linux person [in this case]) and
with either 2.2 patched or 2.4 out of the box (so to speak), you can 
accomplish this if you have a pcap patched with Alexey K.'s modifications.
This patch came out eons ago.  If tcpdump.org has a new pcap that handles
multiple interfaces, then you should go with that.

Personally, I don't use that particular feature.  Instead I run multiple
instances of snort using different bpf filters and rule sets on just one
interface which has more traffic than I can shake a stick at.

On Sat, Aug 18, 2001 at 12:47:53PM -0700, Erek Adams wrote:

On Sat, 18 Aug 2001, Andrew Stubbs wrote:

I have tried setting snort to run on multiple interfaces in 2 ways

1) Using multiple address/masks (implicit ip HOME_NET
[xxx.xxx.xxx.xxx/32,yyyy.yyyy.yyyy.yyyy/32]
2) Using seperate instances of snort with diff config files.

Also tried using HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS] produces an error
(snort: [!] ERROR /etc/snort/rules/snort2.conf (40): Bad value in variable
definition!
 snort: FATAL ERROR:        Make sure you don't have a "$" in the var name )

In either event the second i/f never goes into promisc mode and thus no
packets logged.

Running: Linux 2.4.2., latest libpcap etc, Snort Version 1.8.1-beta7.
Dual nic (3c59x)


Two suggestions:  Go to 1.8.1-RELEASE; go grab the 0.6.2 version of libpcap,
if you don't have it (you didn't specify the version so I'm guessing).

With that you should be able to have it use any interfaces.  You can use "-i
any" to have one proc look at both nics on a Linux box, IIRC.

Disclaimer:  I'm not a Linux person, in any way--So I might be smokin' crack
on this one....  :)

Any Linux folks out there want to correct my cluelessness?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple IF Andrew Stubbs (Aug 18)
- Re: Multiple IF Jason Costomiris (Aug 18)
- Re: Multiple IF Erek Adams (Aug 18)
  - Re: Multiple IF Phil Wood (Aug 18)
- <Possible follow-ups>
- RE: Multiple IF Tom Sevy (Aug 18)