[Snort-users] Snort startup with multiple interfaces

Jade E. Deane jade.deane at ...9894...
Wed Sep 10 18:56:31 EDT 2003


How about a FreeBSD machine being used as a sensor, where the ingress
and egress traffic comes in mirrored on different interfaces.

I have a physical Ethernet tap that takes TX traffic to NIC 1, and RX
traffic to NIC 2.  I run separate snort instances for each.... to me,
this is, well, stupid.

There must be a better way, or a method of combinging the TX/RX data to
one logical interface, in lieu of using a switch SPAN or mirror port.

Regards,
Jade

On Wed, 2003-09-10 at 11:12, J.Mann wrote:
> > Since I have 4 eth commands there, will Snort take them all and listen
> > on each interface? 
> 
> This is mentioned in the FAQ:
> 
>   http://www.snort.org/docs/faq.html#3.4
> 
> Regards,
> Jon Mann
> 
> 
> On Wed, Sep 10, 2003 at 11:11:28AM -0400, Frye, Dan wrote:
> > I'm running Snort 2.01 on linux. I'm using the command line:
> > 
> > /app/snort/bin/snort -U -d -D -c -o /app/snort/snort.conf -i eth0 -i
> > eth1 -i eth3 -i eth4
> > 
> > Since I have 4 eth commands there, will Snort take them all and listen
> > on each interface? I don't have my taps yet so I can't test it, but am
> > hoping someone can confirm or deny this config. Thanks.
> >  
> > d
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030910/b42290e9/attachment.sig>


More information about the Snort-users mailing list