[Snort-users] Snort 1.7 problem with -i any

Neil Dickey neil at ...1633...
Tue Jun 5 10:59:04 EDT 2001


Edwin Chiu <Edwin.Chiu at ...1378...> wrote:

[ ... Snip, 'any' interface not recognized so use le0 etc ... ]

>I'm aware of this, but I was under the impression that libpcap and/or
>snort could listen to all interfaces with the "-i any" flag, like 
>tcpdump.

That may well be!  I was just working from what's in the man page, which
says that '-i' requires the interface name as an argument.  It wouldn't
be the first time I've gotten into trouble reading a man page.  ;-)

Did you try specifying a particular interface to see if the problem goes
away?  ( We already know that 'any' doesn't work ... )  If Snort won't
report anything then, maybe there's a problem with your build.  If 'any'
should work and doesn't then there's obviously a bug somewhere, but I
wouldn't be able to help you with that.

Finally, this from the FAQ:

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
    the only way is to run multiple instances of snort, one instance per
    interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap
    library with S. Krahmer's patch which allows you to specify 'any' as interface
    name. In this case snort will be able to process traffic comming to all
    interfaces.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

Apparently under specific conditions linux users, and linux users only, *can*
specify 'any' as an interface.  Are you using libpcap with S. Krahmer's patch?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list