[Snort-users] Configuration issue, Part II

DJDave Sobel dave at ...3559...
Mon Sep 24 18:32:02 EDT 2001

This was the kicker -- I needed to run multiple instances of snort, one
bound to each interface.  Interestingly, it was defaulting to eth0,
which was a "very secure" interface and was having everything blocked by

Since I'm using snort to see everything that the firewall misses, this
is now working great.

Thanks for the help guys!!


-----Original Message-----
From: root at ...2783... [mailto:root at ...2783...] On Behalf Of
Chris Keladis
Sent: Monday, September 24, 2001 8:44 AM
To: DJDave Sobel
Cc: 'Erek Adams'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Configuration issue, Part II

DJDave Sobel wrote:

Hi Dave,

> How do you specify which interface to use?

The -i switch to snort.

> And of more importance to me, how do you specify binding to multiple
> interfaces?  I'd like it to be watching traffic to all the internal
> networks, not just one... (that way, I can see what ipchains missed..)

This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a
special patch to Snort, and specify '-i any' Snort will monitor all
interfaces (not certain if this patch has found it's way into mainstream

Failing that you can do as i have done and run a Snort instance on each
interface. It works quite well especially if you use Demarc, since each
Snort instance counts as a seperate sensor.

I used the -I switch to make Snort list the interfaces in the ASCII
alerts to make it easier to visualise where a packet came from.

Visit the FAQ at www.snort.org for more specific details.



More information about the Snort-users mailing list