[Snort-users] Snort start up on Multiple interface
mkettler at ...4108...
Tue Apr 27 13:16:07 EDT 2004
At 01:02 PM 4/27/2004, Brian Webster wrote:
>I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
>I don't really want to get multiple intances of snort running unless that
>is the only way.
AFAIK there's no support for specifying multiple interfaces to snort.
There's only 3 ways to do something like this:
1) start multiple snorts
2) create a bonded interface which combines all 4 and start snort
3) if you're on linux, you have the option of using "any" as an
interface, which will pick up all the interfaces (including lo, if I'm not
Fundamentally, a single snort opening 4 different ethernet ports is not
substantialy lower overhead than 4 separate copies of snort, and the code
is much less complex. Certainly the overhead savings is not enough to
justify adding a ugly mess in the code that calls pcap, and add some minor
slowdowns for every single-interface snort user.
Besides, bonded interfaces should let you do what you want without needing
any support in the snort code.
More information about the Snort-users