[Snort-users] When is a hub not a hub? (AuthReply)

Graeme Fowler graeme.fowler at ...2189...
Thu Jun 7 10:51:23 EDT 2001


Hi folks

> should be relatively straightforward to modify snort to 
> listen to at least 2 interfaces. this would have other
> applications besides just support for ethertaps

Alternatively just aggregate all the sniffing interfaces you have attached
to a box using tcpdump. By default it will (in more recent releases, I
realise some old ones don't do this) bind to all available interfaces. You
can then pump the output from tcpdump to standard out, and then read it into
snort on standard in as follows:

tcpdump <options> -w - <expression> | snort <options> -r - <expression>

Handy if, like me, you might want to watch multiple datastreams on multiple
interfaces. Perverse? Maybe ;-)

Graeme

-- 
Graeme Fowler
Systems Administrator
Host Europe Group plc




More information about the Snort-users mailing list