[Snort-users] Configuration issue, Part II

DJDave Sobel dave at ...3559...
Mon Sep 24 08:57:02 EDT 2001


 
>> And of more importance to me, how do you specify binding to multiple
>> interfaces?  I'd like it to be watching traffic to all the internal
>> networks, not just one... (that way, I can see what ipchains
missed..)

>This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
>special patch to Snort, and specify '-i any' Snort will monitor all
>interfaces (not certain if this patch has found it's way into
mainstream
>Snort?)

>Failing that you can do as i have done and run a Snort instance on each
>interface. It works quite well especially if you use Demarc, since each
>Snort instance counts as a seperate sensor.

>I used the -I switch to make Snort list the interfaces in the ASCII
>alerts to make it easier to visualise where a packet came from.

Well, I'm running Linux 2.2, and not inclined to rebuild the machine
right now... :)

With this kernel, is the only solution multiple instances?   Will it be
able to write to one single log file without problem, or each interface
now need it's own log... (Obviously, moving to a database will solve
this later...)

Dave





More information about the Snort-users mailing list