[Snort-users] Snort startup with multiple interfaces

Matt Kettler mkettler at ...4108...
Wed Sep 10 17:26:35 EDT 2003

At 11:11 AM 9/10/2003 -0400, Frye, Dan wrote:
>/app/snort/bin/snort -U -d -D -c -o /app/snort/snort.conf -i eth0 -i
>eth1 -i eth3 -i eth4
>Since I have 4 eth commands there, will Snort take them all and listen
>on each interface? I don't have my taps yet so I can't test it, but am
>hoping someone can confirm or deny this config. Thanks.

That doesn't work, you can only specify one -i parameter to snort.

In the future please RTF (read the FAQ) at http://www.snort.org/docs/FAQ.txt

Direct quote of the FAQ:

3.6 How can I run snort on multiple interfaces simultaneously.

LINUX: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
available) the only way is to run multiple instances of snort, one instance per
interface (with the -i option specifying the interface). However for linux
2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch
which allows you to specify 'any' as interface name. In this case snort will be
able to process traffic coming to all interfaces.

*BSD: Use the ``bridge'' interface to combine your nics into a logical
interface (bridge0).

