Snort mailing list archives
Re: Multiple NICs in a Linux box and Snort
From: Bennett Todd <bet () rahul net>
Date: Fri, 19 Nov 2004 19:03:26 +0000
2004-11-19T18:51:20 Lyndon Tiu:
It can monitor multiple NICs.
One some platforms it can, Linux is one of them.
From snort.conf:
But HOME_NET has nothing to do with it; you can run snort fine with HOME_NET undefined. It's a tuning parameter for teaching snort your network config, so it can analyze the traffic it sees more knowlegeably. But the traffic it sees is controlled by the interface arg to -i on the snort cmdline. One some platforms, including Linux with at least some libpcaps, you can go "-i any" if you want to listen on _all_ NICs attached to the system, or you can specify one single NIC. Those are your choices there. For a very common case, where you need to aggregate the traffic coming in on two NICs coming from a network tap, but don't want to be snorting the mgmt interface, Linux's bonding driver is the ticket. You can bond unnumbered NICs, just ignore the errors ifenslave gives, it's annoyed because it can't properly configure the IP addrs, but we don't care. Check the networking/bonding.txt in the kernel docs for details, especially noting the "Promiscuous Sniffing notes" section. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Multiple NICs in a Linux box and Snort Lyndon Tiu (Nov 19)
- Re: Multiple NICs in a Linux box and Snort Bennett Todd (Nov 19)
- <Possible follow-ups>
- Multiple NICs in a Linux box and Snort Bob Magnotta (Nov 19)
- Re: Multiple NICs in a Linux box and Snort Michael Boman (Nov 19)
- RE: Multiple NICs in a Linux box and Snort Glenn Bailey (Nov 19)
- Re: Multiple NICs in a Linux box and Snort Bennett Todd (Nov 19)