[Snort-sigs] multiple interfaces

Javier Fernandez-Sanguino jfernandez at ...2106...
Thu May 20 00:10:02 EDT 2004


Kimberly Ho wrote:

> Hey all,
> 
> I've been trying to see if there was a way around snort 2.1.2, and why 
> it does not support multiple interfaces.   Snort 2.1.0 does however. But 
> in any case, is there a way to specify multiple interfaces, or even 
> negate one interface out of 10. We tried to modify the snort.conf file 
> and specified the interface to look for, but it did not like that.  
> Tried generally most things that are available online.  Any ideas?

I've usually done this with different snort instances, i.e. init.d 
scripts that run different snort configurations with different -i 
values. That provides a way to have different rule sets for the 
interfaces (since they will listen on different networks, with 
different traffic)

One thing that _might_ work, but I haven't tested myself, is to do 
link aggregation using logical interfaces bonding [1] and enslave 
different interfaces to it, then setup a single snort instance 
attached to the bond interface. If anyone tests this I would like to 
hear what the results are...

Regards

Javier


[1] See the "Guide to IP Layer Network Administration with Linux", 
more specifically: http://linux-ip.net/html/ether-bonding.html





More information about the Snort-sigs mailing list