[Snort-sigs] multiple interfaces

Jason Haar Jason.Haar at ...651...
Wed May 19 21:40:00 EDT 2004


On Wed, May 19, 2004 at 10:55:22PM -0400, Jason wrote:
> to watch all interfaces
> 
> snort -i any
> 
> to selectively ignore a specific interface
> 
> snort -i any not ether dst [MAC address]
> 
> Eg: snort -i any not ether dst 00:D0:B7:92:4A:53
> 

That won't work will it? I mean, snort runs in promisc mode, so the dst
Ethernet address isn't a Snort MAC - it's another host. So excluding the MAC
addresses assosiated with Snort will just stop you seeing traffic *aimed* at
that address - not traffic passing it.

(this assumes the question was: "how do I monitor 5 Ethernet interfaces
except for int 3" - my answer is "4 instances of snort")

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list