[Snort-users] Monitoring traffic on 2 Interfaces

Michael Steele michaels at ...9077...
Fri Nov 21 07:11:09 EST 2003

Start another instance of Snort. 

1) Create another run line and use the –W switch to pick the interface for
Snort to sniff on.
2) Modify the snort.conf output database line to depict your new criteria,
and place sensor_name=outside at the end of your output database line so
when you view alerts in ACID you will be able to tell which interface the
alerts originated from.


-Michael Steele
 System Engineer / Security Support Technician    
 mailto:michaels at ...9077...   
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Cabrera,
Nestor (Contractor)
Sent: Friday, November 21, 2003 5:35 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Monitoring traffic on 2 Interfaces

Hello list,
I'm currently running Snort v2.0.4 for Windows 2000 with MySQL as the
backend. I originally set it up to monitor one interface for traffic (after
my firewall) and another interface for management, which works fine. I just
added another interface for monitoring traffic before the firewall, but
Snort does not seem to be picking up this traffic. My question is if it is
possible for Snort to do this and how do I configure it to do so? Thanks.

More information about the Snort-users mailing list