[Snort-users] Snorting on 2 interfaces

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Thu Apr 22 00:56:32 EDT 2004


--On 17 April 2004 13:26 -0600 Conan the Librarian 
<conan_the_librarian at ...4723...> wrote:

> Hello all,
>
> Need a little help here configuring snort to sniff on two interfaces
> simultaneously in a low traffic environment.
>
> Tried editing /etc/init.d/snort config file with IFACE=eth0,eth1

That will try to sniff on an interface named "eth0,eth1" and will almost 
certainly fail.

> then IFACE=[eth0,eth1]

Bogus.

> then two separate lines of IFACE=eth0 and IFACE=eth1

The second line will redefine the shell variable IFACE from eth0 to eth1 
and snort will only sniff on eth1.

> all with no joy. Read Beale, Foster and Posluns' book cover to cover.
> Checked man pages. Searched archives. All have HINTS that it can be done
> but no one specifies the syntax of the initiation or conf file.

With the standard snortd init script, setting

        IFACE="eth1 -i eth0 -i eth3"

should work. Note the '-i's for the second and subsequent interfaces.

Alternatively, bond the interfaces together, and attach snort to the bond0 
interface.

> Anyone done this before?
> MJ

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list