[Snort-users] two interfaces?

Bennett Todd bet at ...6163...
Tue Sep 24 05:57:03 EDT 2002


2002-09-23-17:04:15 Erek Adams:
> On Mon, 23 Sep 2002, Daniel Curry wrote:
> > Which is better?
> > Having one snort daemon run with two "-i" option
> > or have multiple snort daemon with one "-i" option?
> > We would like to monitor two promiscuous interface.
> 
> You can't use multiple -i statements and have snort sniff two interfaces.  If
> you are using Linux kernel 2.3+ you can use the '-i any' instead.  Otherwise,
> use two instances.

Or, if you e.g. wish to sniff two unnumbered interfaces but not your
numbered (mgmt) interface; and if you wish to have one snort
instance watching both those interfaces (in case e.g. outbound
packets of a connection are seen on one interface and return packets
are seen on the other), then you could bond the channels. With
recent Linuxes that'd be described in the kernel src tree in
Documentation/networking/bonding.txt; in short, it's something like
a one-time:

	echo alias bond0 bonding >>/etc/modules.conf

then boot-time:

	ifconfig bond0 up
	ifenslave bond0 eth1
	ifenslave bond0 eth2
	snort -i bond0 ...

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020924/96b111e4/attachment.sig>


More information about the Snort-users mailing list