[Snort-users] bpf filter by interface
erek at ...950...
Sun Jun 1 07:26:04 EDT 2003
On Sun, 1 Jun 2003, Yonah Russ wrote:
> I'm looking for a way to run snort on some but not all of my network
> interfaces without more than one process- I tried using two -i arguments
> and snort seemed to swallow them but the output was nonsense. I also
> don't see an expression in the snort man page that lets you block out an
> interface. Any ideas?
Short answer: Not easily
Long answer: You'd have to use bonding (Linux) and combine all the
physical interfaces into one logical interface. Then you'd sniff the
logical interface. You can also use bridging (*BSD's) and trunking
(Solaris) to accomplish the same thing.
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users