[Snort-users] multiple NICs on OpenBSD 3.4

Jacob, Raymond A Jr raymond.jacob at ...7622...
Mon Apr 19 14:18:04 EDT 2004


Looking at the web page at www.snort.org you can have a snort process for every net or 
use bridging. Does anyone know how one gets snort to work under bridging?

I thought about doing something like:

/etc/hostname.3c0
===================
inet 172.16.154.55 255.255.255.0

/etc/hostname.ep0
===================
up

/etc/hostname.ep1
===================
up


/etc/bridgename.bridge0
===================
create bridge0
#ep0 on lan1
add ep0
#ep1 on lan2
add ep1
up    # and finally enable it
rule block out on ep0
rule block out on ep1
rule pass in on ep0
rule pass in on ep1


snortstart
/usr/.../snort -c /usr/local/etc/snort.conf - i bridge0 -u snortgirl - g snortgirl -D > /dev/null & echo -n ' snort'


alternatively I have heard of someone trying use pf to capture traffic and route it
to snort via pf.

pf.conf
============
block in quick log on ep0
block in quick log on ep1
....

packets that match the block rule in pf.conf -i.e. all packets - will be logged/sent
to the psuedo network device driver pflog0. Since pflog0 is a network interface
use it as a interface that snort can use.

snortstart
/.../snort -c /.../snort.conf - i pflog0 -u snortgirl - g snortgirl -D > /dev/null & echo -n ' snort'

Thank you
Raymond




More information about the Snort-users mailing list