Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snorting on 2 interfaces

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Thu, 22 Apr 2004 08:25:48 -0400
Hi,

Ultimately it will depend on what type of output you want from snort.  You
can follow the method that Alex outlined or as an alternative you can create
two instances of snort.  This can be done by creating two snort.conf files
and two output locations to write alerts.  Then run snort once with the
first snort.conf and then again with the second.  (This is a very simplistic
description but its not too hard to get going.)

This works better for me as the alerts are entered into the DB as multiple
sources so I can also sort alerts by interface.  This also allows me to run
different rule sets on each interface.  I have the interfaces plugged into
different segments of the network so while one rule might generate lots of
false positives on one interface and generate true positives on another.  I
don't have to turn off the rule completely or dig through a bunch of fluff,
just have to disable it on the one interface only.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


-----Original Message-----
From: AJ Butcher, Information Systems and Computing
[mailto:Alex.Butcher () bristol ac uk]
Sent: April 22, 2004 3:54 AM
To: Conan the Librarian; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snorting on 2 interfaces




--On 17 April 2004 13:26 -0600 Conan the Librarian 
<conan_the_librarian () adelphia net> wrote:


Hello all,

Need a little help here configuring snort to sniff on two interfaces
simultaneously in a low traffic environment.

Tried editing /etc/init.d/snort config file with IFACE=eth0,eth1


That will try to sniff on an interface named "eth0,eth1" and will almost 
certainly fail.


then IFACE=[eth0,eth1]


Bogus.


then two separate lines of IFACE=eth0 and IFACE=eth1


The second line will redefine the shell variable IFACE from eth0 to eth1 
and snort will only sniff on eth1.


all with no joy. Read Beale, Foster and Posluns' book cover to cover.
Checked man pages. Searched archives. All have HINTS that it can be done
but no one specifies the syntax of the initiation or conf file.


With the standard snortd init script, setting

        IFACE="eth1 -i eth0 -i eth3"

should work. Note the '-i's for the second and subsequent interfaces.

Alternatively, bond the interfaces together, and attach snort to the bond0 
interface.


Anyone done this before?
MJ


Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: