Snort mailing list archives
Re: Binding snort to multiple interfaces
From: "Rolf A. Vaglid" <rolf () qt-developer org>
Date: Thu, 08 Apr 2004 02:09:20 +0200
eric-dated-1083277626.193075aa63e273 () catastrophe net wrote:
On Wed, 2004-04-07 at 16:48:17 -0500, eamonn doyle proclaimed...Patrick is right, run 2 snort processes, here is what I use it will get you the eth0 and eth1 you want to differentiate between the interfaces./usr/local/bin/snort -d -i eth0 -I -D /usr/local/bin/snort -d -i eth1 -I -D /usr/local/bin/snort -d -i eth2 -I -DThis works for me, I run it from the directory that contains the conf file andThanks. So then my question is: is any work being done on making multiple interfaces possible? I'd think folks monitoring seperate interfaces would enjoy this, especially if each alert was tagged with an interface ID.
I use the Snort 2.1.2 rpms on Fedora Core 1 and it listens to my two VLAN-interfaces out-of-the-box. The /etc/init.d/snort script contains the following: if [ "$INTERFACE" = "-i ALL" ]; then for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snort:snort $LOGDIR daemon /usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST done else daemon/usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST fi This searches the /proc/sys/net/ipv4/conf/ directory for interfaces beginning with eth*. /proc/sys/net/ipv4/conf/ contains configurations for all the interfaces, in my case: all default eth0.188 eth0.4 loSince the script finds two interfaces whose names starts with eth*, it automatically starts two snort-instances, and each instance is assosiated with a separate sensor.
If you are using VLANs like me, be aware that vlans might have different name-policies, (eth0.4, vlan0004, eth0004). With this script only those beginning with eth will work. This is easy to fix if you have to use the vlan0004 method. Cheers Rolf ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Binding snort to multiple interfaces eric-dated-1083277626 . 193075aa63e273 (Apr 06)
- <Possible follow-ups>
- Binding snort to multiple interfaces heric-dated-1083277626 . 193075aa63e273 (Apr 07)
- RE: Binding snort to multiple interfaces Patrick Harper (Apr 07)
- Re: Binding snort to multiple interfaces eamonn doyle (Apr 07)
- Re: Binding snort to multiple interfaces eric-dated-1083277626 . 193075aa63e273 (Apr 07)
- Re: Binding snort to multiple interfaces Rolf A. Vaglid (Apr 07)
- Re: Binding snort to multiple interfaces eamonn doyle (Apr 07)
- Re: Binding snort to multiple interfaces eric-dated-1083277626 . 193075aa63e273 (Apr 07)
- Re: Binding snort to multiple interfaces Max Valdez (Apr 17)