RE: Configuration issue, Part II

["DJDave Sobel" <dave () evolvetech com>]

> > And of more importance to me, how do you specify binding to multiple
> > interfaces?  I'd like it to be watching traffic to all the internal
> > networks, not just one... (that way, I can see what ipchains
missed..)

> This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
> special patch to Snort, and specify '-i any' Snort will monitor all
> interfaces (not certain if this patch has found it's way into
mainstream
> Snort?)

> Failing that you can do as i have done and run a Snort instance on each
> interface. It works quite well especially if you use Demarc, since each
> Snort instance counts as a seperate sensor.

> I used the -I switch to make Snort list the interfaces in the ASCII
> alerts to make it easier to visualise where a packet came from.

Well, I'm running Linux 2.2, and not inclined to rebuild the machine
right now... :)

With this kernel, is the only solution multiple instances?   Will it be
able to write to one single log file without problem, or each interface
now need it's own log... (Obviously, moving to a database will solve
this later...)

Dave


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users