[Snort-users] two interfaces?
bet at ...6163...
Tue Sep 24 05:57:03 EDT 2002
2002-09-23-17:04:15 Erek Adams:
> On Mon, 23 Sep 2002, Daniel Curry wrote:
> > Which is better?
> > Having one snort daemon run with two "-i" option
> > or have multiple snort daemon with one "-i" option?
> > We would like to monitor two promiscuous interface.
> You can't use multiple -i statements and have snort sniff two interfaces. If
> you are using Linux kernel 2.3+ you can use the '-i any' instead. Otherwise,
> use two instances.
Or, if you e.g. wish to sniff two unnumbered interfaces but not your
numbered (mgmt) interface; and if you wish to have one snort
instance watching both those interfaces (in case e.g. outbound
packets of a connection are seen on one interface and return packets
are seen on the other), then you could bond the channels. With
recent Linuxes that'd be described in the kernel src tree in
Documentation/networking/bonding.txt; in short, it's something like
echo alias bond0 bonding >>/etc/modules.conf
ifconfig bond0 up
ifenslave bond0 eth1
ifenslave bond0 eth2
snort -i bond0 ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users