Snort mailing list archives
RE: Snorting on 2 interfaces
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Thu, 22 Apr 2004 08:25:48 -0400
Hi, Ultimately it will depend on what type of output you want from snort. You can follow the method that Alex outlined or as an alternative you can create two instances of snort. This can be done by creating two snort.conf files and two output locations to write alerts. Then run snort once with the first snort.conf and then again with the second. (This is a very simplistic description but its not too hard to get going.) This works better for me as the alerts are entered into the DB as multiple sources so I can also sort alerts by interface. This also allows me to run different rule sets on each interface. I have the interfaces plugged into different segments of the network so while one rule might generate lots of false positives on one interface and generate true positives on another. I don't have to turn off the rule completely or dig through a bunch of fluff, just have to disable it on the one interface only. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: AJ Butcher, Information Systems and Computing [mailto:Alex.Butcher () bristol ac uk] Sent: April 22, 2004 3:54 AM To: Conan the Librarian; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snorting on 2 interfaces --On 17 April 2004 13:26 -0600 Conan the Librarian <conan_the_librarian () adelphia net> wrote:
Hello all, Need a little help here configuring snort to sniff on two interfaces simultaneously in a low traffic environment. Tried editing /etc/init.d/snort config file with IFACE=eth0,eth1
That will try to sniff on an interface named "eth0,eth1" and will almost certainly fail.
then IFACE=[eth0,eth1]
Bogus.
then two separate lines of IFACE=eth0 and IFACE=eth1
The second line will redefine the shell variable IFACE from eth0 to eth1 and snort will only sniff on eth1.
all with no joy. Read Beale, Foster and Posluns' book cover to cover. Checked man pages. Searched archives. All have HINTS that it can be done but no one specifies the syntax of the initiation or conf file.
With the standard snortd init script, setting IFACE="eth1 -i eth0 -i eth3" should work. Note the '-i's for the second and subsequent interfaces. Alternatively, bond the interfaces together, and attach snort to the bond0 interface.
Anyone done this before? MJ
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting on 2 interfaces Conan the Librarian (Apr 19)
- Re: Snorting on 2 interfaces AJ Butcher, Information Systems and Computing (Apr 22)
- <Possible follow-ups>
- RE: Snorting on 2 interfaces Harper, Patrick (Apr 19)
- RE: Snorting on 2 interfaces Truax, Shawn (MBS) (Apr 22)