[Snort-users] Configuration issue, Part II

DJDave Sobel dave at ...3559...
Mon Sep 24 18:32:02 EDT 2001


This was the kicker -- I needed to run multiple instances of snort, one
bound to each interface.  Interestingly, it was defaulting to eth0,
which was a "very secure" interface and was having everything blocked by
ipchains.

Since I'm using snort to see everything that the firewall misses, this
is now working great.

Thanks for the help guys!!

Dave

-----Original Message-----
From: root at ...2783... [mailto:root at ...2783...] On Behalf Of
Chris Keladis
Sent: Monday, September 24, 2001 8:44 AM
To: DJDave Sobel
Cc: 'Erek Adams'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue, Part II

DJDave Sobel wrote:

Hi Dave,


> How do you specify which interface to use?

The -i switch to snort.

 
> And of more importance to me, how do you specify binding to multiple
> interfaces?  I'd like it to be watching traffic to all the internal
> networks, not just one... (that way, I can see what ipchains missed..)

This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
special patch to Snort, and specify '-i any' Snort will monitor all
interfaces (not certain if this patch has found it's way into mainstream
Snort?)

Failing that you can do as i have done and run a Snort instance on each
interface. It works quite well especially if you use Demarc, since each
Snort instance counts as a seperate sensor.

I used the -I switch to make Snort list the interfaces in the ASCII
alerts to make it easier to visualise where a packet came from.

Visit the FAQ at www.snort.org for more specific details.




Regards,

Chris.





More information about the Snort-users mailing list