[Snort-users] Snort on linux with multiple network cards (was: Some reasonably dumb questions)

Mon Jan 22 14:07:47 EST 2001

Hello all...

I've spent the weekend making RPMs of the
latest builds of libpcap and tcpdump from http://www.tcpdump.org
to see if they solve my problem detailed last week...

Two questions to ask of people before I go further
down the path of madness...

Are people out in the Linux world (or, I suppose any
flavour of Unix for that matter) rolling their snorts 
with the old LBL libpcap, or the tcpdump.org versions?

And secondly, considering one reply I got to my question
about my box with two identical network cards in it ...
(From russ yonah:
You might try taking two different netowrk cards. I believe RH has a long
history of problems when two network cards use the same module. usually
the problem includes that one configuration overwrites the second.)
Is everyone else using two different network cards under Linux,
or is this just misleading?

My experiments with snort 1.6.x/1.7.x running on systems with 1 network
card and asking as a sort of 'host based' IDS have been perfect... it's just
trying to move a new box into the position of snorting our external link traffic
seems to have been fraught with problems... I'm hoping to test a new piece
of software with snort very soon indeed, and naturally I want this to work!

... any further advice would be most gratefully received.

