Re: Snort startup with multiple interfaces

[Matt Kettler <mkettler () evi-inc com>]

At 11:11 AM 9/10/2003 -0400, Frye, Dan wrote:
> /app/snort/bin/snort -U -d -D -c -o /app/snort/snort.conf -i eth0 -i
> eth1 -i eth3 -i eth4
>
> Since I have 4 eth commands there, will Snort take them all and listen
> on each interface? I don't have my taps yet so I can't test it, but am
> hoping someone can confirm or deny this config. Thanks.

That doesn't work, you can only specify one -i parameter to snort.

In the future please RTF (read the FAQ) at http://www.snort.org/docs/FAQ.txt

Direct quote of the FAQ:
-----------

3.6 How can I run snort on multiple interfaces simultaneously.

LINUX: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
available) the only way is to run multiple instances of snort, one instance per
interface (with the -i option specifying the interface). However for linux
2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch
which allows you to specify 'any' as interface name. In this case snort will be
able to process traffic coming to all interfaces.

*BSD: Use the ``bridge'' interface to combine your nics into a logical
interface (bridge0).




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users