[Snort-devel] Active response on two interfaces

Jon Larson jlarson at ...3287...
Tue May 1 19:46:18 EDT 2012

I/we need to get snort to operate on two interfaces.  For simplicity, 
let's just say I want to have snort monitor traffic on eth0, but then 
send its resets out on eth1.  What's the configuration magic to allow this?

I've tried something like this in the snort.conf:
config response: device eth1 attempts 2

This, however, seems to get snort into this mode (when it detects some 
TCP connection it's configured to reset) where it "sniffs" back in the 
RST packet (on the other interface), then sends another RST packet.  
Kinda like "eating it's own tail".  The snort process consumes the CPU 
and floods the network in this mode.

Also is there documentation someone could point me to regarding 
configuring snort for multiple interfaces?

Any and all information would be greatly appreciated!
Jonny L.

