[Snort-users] Snort, FreeBSD and Multiple NICs

Erek Adams erek at ...577...
Tue Oct 16 10:23:14 EDT 2001

On Tue, 16 Oct 2001, Dave Elfering wrote:

> I'm running FreeBSD 4.4 and Demarc 1.05 RC2 on a Dell Precision (1GB RAM,
> 800Mhz CPU) with an Adaptec quad ethernet card.
> I must be brain damaged, because I'm not seeing how to select several
> interfaces.
> I want to minimally run Snort on two interfaces watching separate network
> segments, and experiment with watching up to 4 segments. This is just
> cleaner for me than setting up a probe for each silly network I want to
> monitor.
> Sorry if this is FAQ fodder some place, but I haven't seen this question
> answered.

Well...  Now that you mention it:  (CVS FAQ Version)

3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
   the only way is to run multiple instances of snort, one instance per
   interface. However for  linux 2.1.x/2.2.x and higher you can use libpcap
   library with S. Krahmer's patch which allows you to specify 'any' as
   interface name. In this case snort will be able to process traffic
   coming to all interfaces.


Erek Adams

