[Snort-users] multiple NICs on OpenBSD 3.4

Jacob, Raymond A Jr raymond.jacob at ...7622...
Mon Apr 19 14:18:04 EDT 2004

Looking at the web page at www.snort.org you can have a snort process for every net or 
use bridging. Does anyone know how one gets snort to work under bridging?

I thought about doing something like:




create bridge0
#ep0 on lan1
add ep0
#ep1 on lan2
add ep1
up    # and finally enable it
rule block out on ep0
rule block out on ep1
rule pass in on ep0
rule pass in on ep1

/usr/.../snort -c /usr/local/etc/snort.conf - i bridge0 -u snortgirl - g snortgirl -D > /dev/null & echo -n ' snort'

alternatively I have heard of someone trying use pf to capture traffic and route it
to snort via pf.

block in quick log on ep0
block in quick log on ep1

packets that match the block rule in pf.conf -i.e. all packets - will be logged/sent
to the psuedo network device driver pflog0. Since pflog0 is a network interface
use it as a interface that snort can use.

/.../snort -c /.../snort.conf - i pflog0 -u snortgirl - g snortgirl -D > /dev/null & echo -n ' snort'

Thank you

