AW: [Snort-users] [Snorting 2 NICs]

Poppi, Sandro Sandro.Poppi at ...3316...
Mon Jun 10 07:45:09 EDT 2002


> You should be able to simply install another Snort instance.  
> Instances can share conf and rules files, but not the binary 
> as far as I am aware.  Just do "cp snort snort2" and call 
> snort2 for the second instance.

Sorry that I have to protest here ;) but you can run a lot of snort
instances with the same binary, as you can with any other binary. I have 5
snort instances running on one host without requireing to copy the binary.

I also created a script to start snort on more than one interface. If
interested take a look at
http://www.lug-burghausen.org/projects/index.html#snort-stat

> Greetings Group,
> 
> I have Snort running into MySQL. I use ACID to view alerts. 
> Snort works fine 
> when started as: snort -c /usr/local/etc/snort/snort.conf -i 
> eth0 -D but this 
> is my internal interface. When fired up for eth1 (IP address 
> ppp0) I get this 
> in /var/log/messages:
> 
> WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no 
> Ipv4 address 
> assigned
> Initializing daemon mode
> WARNING: OpenPcap() device eth1 network lookup: ^Ieth1: no 
> Ipv4 address 
> assigned
> PID stat checked out ok, PID set to /var/run
> Writing PID file to "/var/run"
> Snort initialization completed successfully, Snort running

Don't care about the warning, you defined eth1 to be a stealth interface so
that's ok.
 
> Obviously Snort sees no traffic whatsoever. Is there anyway 
> to initialize 
> Snort with two sensors, eth0 and ppp0?

See link above
 
> This is on a tutorial HOME_NET, with a Linux gateway machine 
> and two other 
> boxes inside, one Linux and one Win. I'd like to continue 
> monitoring the 
> internal due to the Win box. I have mulled over the excellent 
> documentation 
> for setting the whole thing up, thanks to everyone involved. 
> I just haven't 
> found an answer to this type of setup yet.

HTH,
Sandro




More information about the Snort-users mailing list