Re: Multiple NICs in a Linux box and Snort

[Bennett Todd <bet () rahul net>]

2004-11-19T18:51:20 Lyndon Tiu:
> It can monitor multiple NICs.

One some platforms it can, Linux is one of them.

> From snort.conf:

But HOME_NET has nothing to do with it; you can run snort fine with
HOME_NET undefined. It's a tuning parameter for teaching snort your
network config, so it can analyze the traffic it sees more
knowlegeably.

But the traffic it sees is controlled by the interface arg to -i on
the snort cmdline. One some platforms, including Linux with at least
some libpcaps, you can go "-i any" if you want to listen on _all_
NICs attached to the system, or you can specify one single NIC.
Those are your choices there.

For a very common case, where you need to aggregate the traffic
coming in on two NICs coming from a network tap, but don't want to
be snorting the mgmt interface, Linux's bonding driver is the
ticket. You can bond unnumbered NICs, just ignore the errors
ifenslave gives, it's annoyed because it can't properly configure
the IP addrs, but we don't care. Check the networking/bonding.txt in
the kernel docs for details, especially noting the "Promiscuous
Sniffing notes" section.

-Bennett

Attachment: _bin
Description: