[Snort-users] Configuration issue, Part II
Chris.Keladis at ...2783...
Mon Sep 24 05:45:02 EDT 2001
DJDave Sobel wrote:
> How do you specify which interface to use?
The -i switch to snort.
> And of more importance to me, how do you specify binding to multiple
> interfaces? I'd like it to be watching traffic to all the internal
> networks, not just one... (that way, I can see what ipchains missed..)
This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
special patch to Snort, and specify '-i any' Snort will monitor all
interfaces (not certain if this patch has found it's way into mainstream
Failing that you can do as i have done and run a Snort instance on each
interface. It works quite well especially if you use Demarc, since each
Snort instance counts as a seperate sensor.
I used the -I switch to make Snort list the interfaces in the ASCII
alerts to make it easier to visualise where a packet came from.
Visit the FAQ at www.snort.org for more specific details.
More information about the Snort-users