[Snort-users] Configuration issue, Part II

Chris Keladis Chris.Keladis at ...2783...
Mon Sep 24 05:45:02 EDT 2001


DJDave Sobel wrote:

Hi Dave,


> How do you specify which interface to use?

The -i switch to snort.

 
> And of more importance to me, how do you specify binding to multiple
> interfaces?  I'd like it to be watching traffic to all the internal
> networks, not just one... (that way, I can see what ipchains missed..)

This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
special patch to Snort, and specify '-i any' Snort will monitor all
interfaces (not certain if this patch has found it's way into mainstream
Snort?)

Failing that you can do as i have done and run a Snort instance on each
interface. It works quite well especially if you use Demarc, since each
Snort instance counts as a seperate sensor.

I used the -I switch to make Snort list the interfaces in the ASCII
alerts to make it easier to visualise where a packet came from.

Visit the FAQ at www.snort.org for more specific details.




Regards,

Chris.




More information about the Snort-users mailing list