Snort mailing list archives

RE: Multiple IF

From: Tom Sevy <tsevy () epx com>
Date: Sat, 18 Aug 2001 18:57:39 -0400

Since I had different requirements for two segments, I ended up with two
copies of snort.conf -- one for each lan segment.  On one box, monitoring
two segments with two nics.

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Saturday, August 18, 2001 3:48 PM
To: Andrew Stubbs
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Multiple IF

On Sat, 18 Aug 2001, Andrew Stubbs wrote:

I have tried setting snort to run on multiple interfaces in 2 ways

1) Using multiple address/masks (implicit ip HOME_NET
[xxx.xxx.xxx.xxx/32,yyyy.yyyy.yyyy.yyyy/32]
2) Using seperate instances of snort with diff config files.

Also tried using HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS] produces an error
(snort: [!] ERROR /etc/snort/rules/snort2.conf (40): Bad value in variable
definition!
 snort: FATAL ERROR:        Make sure you don't have a "$" in the var name


In either event the second i/f never goes into promisc mode and thus no
packets logged.

Running: Linux 2.4.2., latest libpcap etc, Snort Version 1.8.1-beta7.
Dual nic (3c59x)


Two suggestions:  Go to 1.8.1-RELEASE; go grab the 0.6.2 version of libpcap,
if you don't have it (you didn't specify the version so I'm guessing).

With that you should be able to have it use any interfaces.  You can use "-i
any" to have one proc look at both nics on a Linux box, IIRC.

Disclaimer:  I'm not a Linux person, in any way--So I might be smokin' crack
on this one....  :)

Any Linux folks out there want to correct my cluelessness?

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple IF Andrew Stubbs (Aug 18)
- Re: Multiple IF Jason Costomiris (Aug 18)
- Re: Multiple IF Erek Adams (Aug 18)
  - Re: Multiple IF Phil Wood (Aug 18)
- <Possible follow-ups>
- RE: Multiple IF Tom Sevy (Aug 18)