![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: snort with two interface
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 5 Dec 2012 18:26:10 +0000
No, you define a bonded interface up front (bond0) and then use that bonded interface as the name '-i bond0' in your network.interfaces file, it looks like kind of this (debian based): auto bond0 iface bond0 inet manual bond-slaves none bond-mode 0 bond-miimon 100 up ifconfig bond0 promisc up auto eth1 iface eth1 inet manual up ifconfig eth1 promisc up bond-master bond0 bond-primary eth1 eth2 auto eth2 iface eth2 inet manual up ifconfig eth2 promisc up bond-master bond0 bond-primary eth1 eth2 On Wed, Dec 5, 2012 at 6:11 PM, Leonardo Pezente <lmpezente () gmail com> wrote:
Jeremy, when u say "listen on the bonded interface" u means some think like that: snort -c .. -i eth0:eth1 ... ? because i have tried that, and it didnt work. i like the idea of the afpacket, i didnt know u could use it in the ids mode, usually people use it on snort inline. 2012/12/5 Michael Altizer <maltizer () sourcefire com>Alternatively, you could just use the AFPacket DAQ module to listen on multiple interfaces. Just make sure you don't put Snort in inline mode or it will bridge them. On 12/05/2012 11:53 AM, Jeremy Hoel wrote:And without patching, you could bond the two interfaces together and listen on the bonded interface. The only downside of both of those options is not knowing what NIC saw the bad traffic.. you could go of IP of course, if that makes sense for your network design. On Wed, Dec 5, 2012 at 4:16 PM, Jaime Nebrera <jnebrera () gmail com> wrote:Hi Leonardo, This is not fully right. With proper patching Snort can read from multiple interfaces within the same instance. This is BTW, what we have done in redBorder project On 05/12/12 17:11, Leonardo Pezente wrote: yeah yuo were right, i just can run one interface per instance of snort i run. thanks James 2012/12/5 Lay, James <james.lay () wincofoods com>From: Leonardo Pezente [mailto:lmpezente () gmail com] Sent: Wednesday, December 05, 2012 8:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort with two interface i have the snort in the border of a network, and how this topic shows, it has two interface. i have put the HOME_NET equal to the ip of the both interfaces. the think is: in one of them i can detect attacks, but in the other i cant. when i start to test, i was using just one (the iterface that is detecting). but i need particular that the other detect too. so, what could be wrong? my snort.conf is working fine, and i he is starting on boot sniffing both interface. This might be a problem with pcap? I believe Snort can only listen on one interface at a time, so you may want to run two separate instances of snort. James------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Jaime Nebrera (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Michael Altizer (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)
- Re: snort with two interface Russ Combs (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)