Re: Binding snort to multiple interfaces

[eamonn doyle <edoyle () faxsr com>]

I asked this same question last week so I think I know the answer now. 

Patrick is right, run 2 snort processes, here is what I use it will get you 
the eth0 and eth1 you want to differentiate between the interfaces.

/usr/local/bin/snort -d -i eth0 -I -D
/usr/local/bin/snort -d -i eth1 -I -D
/usr/local/bin/snort -d -i eth2 -I -D

This works for me, I run it from the directory that contains the conf file and 
the same conf file is used for all instances.

Eamonn

On Wednesday 07 April 2004 16:13, Patrick Harper wrote:
> Run two instances of snort, one for each interface.
>
>
> Patrick S. Harper | CISSP RHCT MCSE
> patrick.harper () phns com
>
> -----Original Message-----
> From: heric-dated-1083277626.193075aa63e273 () catastrophe net
> [mailto:heric-dated-1083277626.193075aa63e273 () catastrophe net]
> Sent: Tuesday, April 06, 2004 9:39 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Binding snort to multiple interfaces
>
>
> Is there a way to bind snort to multiple interfaces *and* report back
> the interface traffic was logged on? I have seperate unidirectional
> interfaces in a FreeBSD machine; I *can* bridge the two interfaces
> together, but then I don't get the interface listed in the alerts file
> (which defeats my desire to see the vector).
>
> Just curious - - thanks.
>
> - Eric
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> Disclaimer:
> This electronic message, including any attachments, is confidential and
> intended solely for use of the intended recipient(s). This message may
> contain information that is privileged or otherwise protected from
> disclosure by applicable law. Any unauthorized disclosure, dissemination,
> use or reproduction is strictly prohibited. If you have received this
> message in error, please delete it and notify the sender immediately.
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=Click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users