[Snort-users] bpf filter by interface

Erek Adams erek at ...950...
Sun Jun 1 07:26:04 EDT 2003


On Sun, 1 Jun 2003, Yonah Russ wrote:

>   I'm looking for a way to run snort on some but not all of my network
> interfaces without more than one process- I tried using two -i arguments
> and snort seemed to swallow them but the output was nonsense. I also
> don't see an expression in the snort man page that lets you block out an
> interface. Any ideas?

Short answer:  Not easily

Long answer:  You'd have to use bonding (Linux) and combine all the
physical interfaces into one logical interface.  Then you'd sniff the
logical interface.  You can also use bridging (*BSD's) and trunking
(Solaris) to accomplish the same thing.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list