[Snort-users] [Snorting 2 NICs]

Erek Adams erek at ...577...
Tue Jun 11 10:47:02 EDT 2002


On Tue, 11 Jun 2002, Gregory D Hough wrote:

[...snip...]

> ...here is where the trouble begins. The -I switch will not work at all for
> either command:
> ]# snort -c /usr/local/etc/snort/snortext.conf -I eth1
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
> ERROR: OpenPcap() FSM compilation failed:
> 	parse error
> PCAP command: eth1
> Fatal Error, Quitting..

Ok, lets take a quick check on the snort options:

        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output

Now, you have just told snort that you want to add the interface name to the
output.  Then you tried to send it a BPF filter of 'eth1' which it doesn't
understand.


> But the swich -i does:
> ]# snort -c /usr/local/etc/snort/snortext.conf -i eth1
> Log directory = /var/log/snort

[...snip...]

Works as supposed to.  :)

The best way for you to do what you want:

	snort -c /etc/snort.internal.conf -i eth1 -I
	snort -c /etc/snort.external.conf -i eth0 -I

>
> One thing I should mention is that being sort of a newbie, I am trying to
> administer most servers /etc from the Webmin GUI. Don't laugh, it is a good
> learning tool. I am comfortable at the command line however. The Webmin tool
> only allows me to set up a single interface. So I use it for the internal and
> fire up the external via the shell. Just out of curiosity, is it possible to
> initialize both interfaces with a single command? For example, Sandro offered
> a snort.multi script, but it was way out of my league. I do run a few scripts
> for port forwarding to a win box, but they are very simple.



More information about the Snort-users mailing list