Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: multiple interfaces on a Snort sensor

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 27 May 2003 17:28:54 +0200


francesco wrote:

In the near past (March 11-13) there were a couple of threads about the
[...]



The dual interface is supported (though not recommended, I understand,
by some people who replied to the original message) by inserting the
option:
    -i any
on the command line.

This configuration works also if you have a stealth mode interface, i.e.
, you do not get error messages when you run the process but it seems
that the logs and the alert are not from the two interfaces but only
from the interface having the IP address.

I tried this with version 1.9.1, so I cannot confirm whether version
2.0.x has a different behavior.

I wish to read some comments from those who also experimented such
configuration, that in my humble opinion could work fine (no significant
packet loss) with some good quality ethernet cards and a fast (current) PC.


Of course it will work. Please read the libpcap docs about this case.
Also the tcpdump-workers list is a good source.

AFAIK if you specify "any" on the command line (either snort or
tcpdump or whatever) all packets from all interfaces (including
loopback!) will be copied to the application listening.

This behaviour has nothing to do with Snort, but with kernel sockets.

Remember that in this case, the promisc mode will not work too, since
the socket is ignoring the "set promisc mode" flag.

Again: See the libpcap docs, especially those from Phill Wood...

Regards,

Edin


-- 
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: