Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple IF

From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 18 Aug 2001 12:47:53 -0700 (PDT)
On Sat, 18 Aug 2001, Andrew Stubbs wrote:


I have tried setting snort to run on multiple interfaces in 2 ways

1) Using multiple address/masks (implicit ip HOME_NET
[xxx.xxx.xxx.xxx/32,yyyy.yyyy.yyyy.yyyy/32]
2) Using seperate instances of snort with diff config files.

Also tried using HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS] produces an error
(snort: [!] ERROR /etc/snort/rules/snort2.conf (40): Bad value in variable
definition!
 snort: FATAL ERROR:        Make sure you don't have a "$" in the var name )

In either event the second i/f never goes into promisc mode and thus no
packets logged.

Running: Linux 2.4.2., latest libpcap etc, Snort Version 1.8.1-beta7.
Dual nic (3c59x)


Two suggestions:  Go to 1.8.1-RELEASE; go grab the 0.6.2 version of libpcap,
if you don't have it (you didn't specify the version so I'm guessing).

With that you should be able to have it use any interfaces.  You can use "-i
any" to have one proc look at both nics on a Linux box, IIRC.

Disclaimer:  I'm not a Linux person, in any way--So I might be smokin' crack
on this one....  :)

Any Linux folks out there want to correct my cluelessness?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: