[Snort-users] Snort start up on Multiple interface

Matt Kettler mkettler at ...4108...
Tue Apr 27 13:16:07 EDT 2004


At 01:02 PM 4/27/2004, Brian Webster wrote:
>I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
>I don't really want to get multiple intances of snort running unless that 
>is the only way.


AFAIK there's no support for specifying multiple interfaces to snort.

There's only 3 ways to do something like this:
         1) start multiple snorts
         2) create a bonded interface which combines all 4 and start snort 
on that.
         3) if you're on linux, you have the option of using "any" as an 
interface, which will pick up all the interfaces (including lo, if I'm not 
mistaken).


Fundamentally, a single snort opening 4 different ethernet ports is not 
substantialy lower overhead than 4 separate copies of snort, and the code 
is much less complex. Certainly the overhead savings is not enough to 
justify adding a ugly mess in the code that calls pcap, and add some minor 
slowdowns for every single-interface snort user.

Besides, bonded interfaces should let you do what you want without needing 
any support in the snort code.









More information about the Snort-users mailing list