Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort on multiple interfaces

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 04 Nov 2004 08:58:46 +0000
--On 03 November 2004 18:38 +0200 "Jeffries, Michael MJ" <Michael.Jeffries () standardbank co za> wrote: 


I have a box with 3 interfaces pointing at different networks, I am
running fedora 9.2. How can I get snort to sniff on more than one
interface?

Do I just start two sessions of snort up as follows ?

snort -c /etc/snort/snort.conf -i eth0 &
snort -c /etc/snort/snort.conf -i eth1 &


That's one, perfectly acceptable, way.


Or is there a better way to do this?
A different approach (which may be "better" depending on what you're trying to achieve) is to bond together the physical interfaces to a single interface, and have one instance of Snort sniffing from that. The advantage of doing this is that snort can track state across multiple segments. The (possible) disadvantage is that you can only use one policy per bond interface (i.e. one per instance of Snort).
<http://www.redhat.com/archives/redhat-install-list/2003-July/msg00665.html> gives a bit more detail on setting up bonding with RH-like OSs such as Fedora. Note that you probably don't want to bind an IP address to bond0 (or whatever) if you're using it for Snort. 


Thanks a ton
Mike


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: