[Snort-users] Snort start up on Multiple interface

Truax, Shawn (MBS) Shawn.Truax at ...8509...
Tue Apr 27 13:25:08 EDT 2004

Hi Brian,

The only way that I know of and the way that I use is to use multiple
instances of snort with their own config files.  In my opinion this is
actually the best way and gives added benefits when logging to a database
and sniffing multiple segments of a network.  I would assume that the 4
interfaces you have are not all sniffing the same segment of your network,
and are on multiple segments of your network.  

The real added advantage to this solution is signature tuning.  By having
multiple config files you can have multiple signature lists.  One thing you
will quickly find is that one signature on one segment of your network will
produce many false positives while on a different segment it will produce
none.  By having multiple config files you can tailor each to the segment it
is watching and actually potentially increase the performance of snort by
weeding out the false positives in a more controlled manner.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7

-----Original Message-----
From: Brian Webster [mailto:bwebster at ...11660...]
Sent: April 27, 2004 1:02 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort start up on Multiple interface

Hi. I'm looking for a little "how-to" info to get Snort running on on a 4
port NIC. 
It seems as though any attempt to add reference to additional interfaces in
the etc/init.d/argus file are unsuccessful. (I am using the argus
installation on Redhat9.0)
I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
I don't really want to get multiple intances of snort running unless that is
the only way. I'm just trying to get data logged from behind several
switches to one machine. Has anyone got any advise ? 


This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040427/069fe4ec/attachment.html>

More information about the Snort-users mailing list