Re: Snort startup with multiple interfaces

["Jade E. Deane" <jade.deane () riven net>]

How about a FreeBSD machine being used as a sensor, where the ingress
and egress traffic comes in mirrored on different interfaces.

I have a physical Ethernet tap that takes TX traffic to NIC 1, and RX
traffic to NIC 2.  I run separate snort instances for each.... to me,
this is, well, stupid.

There must be a better way, or a method of combinging the TX/RX data to
one logical interface, in lieu of using a switch SPAN or mirror port.

Regards,
Jade

On Wed, 2003-09-10 at 11:12, J.Mann wrote:
> > Since I have 4 eth commands there, will Snort take them all and listen
> > on each interface? 
>
> This is mentioned in the FAQ:
>
>   http://www.snort.org/docs/faq.html#3.4
>
> Regards,
> Jon Mann
>
>
> On Wed, Sep 10, 2003 at 11:11:28AM -0400, Frye, Dan wrote:
> > I'm running Snort 2.01 on linux. I'm using the command line:
> >
> > /app/snort/bin/snort -U -d -D -c -o /app/snort/snort.conf -i eth0 -i
> > eth1 -i eth3 -i eth4
> >
> > Since I have 4 eth commands there, will Snort take them all and listen
> > on each interface? I don't have my taps yet so I can't test it, but am
> > hoping someone can confirm or deny this config. Thanks.
> >  
> > d
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8

Attachment: signature.asc
Description: This is a digitally signed message part