[Snort-users] Binding snort to multiple interfaces

Rolf A. Vaglid rolf at ...11598...
Wed Apr 7 17:11:28 EDT 2004


eric-dated-1083277626.193075aa63e273 at ...11523... wrote:

>On Wed, 2004-04-07 at 16:48:17 -0500, eamonn doyle proclaimed...
>
>  
>
>>Patrick is right, run 2 snort processes, here is what I use it will get you 
>>the eth0 and eth1 you want to differentiate between the interfaces.
>>
>>/usr/local/bin/snort -d -i eth0 -I -D
>>/usr/local/bin/snort -d -i eth1 -I -D
>>/usr/local/bin/snort -d -i eth2 -I -D
>>
>>This works for me, I run it from the directory that contains the conf file and 
>>    
>>
>Thanks.
>
>So then my question is: is any work being done on making multiple
>interfaces possible? I'd think folks monitoring seperate interfaces
>would enjoy this, especially if each alert was tagged with an
>interface ID.
>  
>
I use the Snort 2.1.2 rpms on Fedora Core 1 and it listens to my two VLAN-interfaces out-of-the-box.
The /etc/init.d/snort script contains the following:

        if [ "$INTERFACE" = "-i ALL" ]; then
           for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`
           do
                mkdir -p "$LOGDIR/$i"
                chown -R snort:snort $LOGDIR
                daemon /usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST
           done
        else
           daemon/usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST
        fi

This searches the /proc/sys/net/ipv4/conf/ directory for interfaces beginning with eth*.
/proc/sys/net/ipv4/conf/ contains configurations for all the interfaces, in my case:
all  default  eth0.188  eth0.4  lo
Since the script finds two interfaces whose names starts with eth*, it automatically starts two snort-instances, 
and each instance is assosiated with a separate sensor.

If you are using VLANs like me, be aware that vlans might have different name-policies, (eth0.4, vlan0004, eth0004).
With this script only those beginning with eth will work. This is easy to fix if you have to use the vlan0004 method.

Cheers
Rolf











More information about the Snort-users mailing list