[Snort-users] Multiple sensors/interfaces, same daemon

Joshua Berry jberry at ...11848...
Thu Jul 1 11:26:05 EDT 2004

You could use bonded interfaces.  If your kernel does not have support
compiled into it for bonded interfaces (Network Device Support\Bonding
Driver Support) then you will have to compile your own kernel and then
compile the ifenslave source
(<kernel_source_directory\Documentation\networking\ifenslave.c).  Then
you can use ifenslave to bond the interfaces together with:

/sbin/ifconfig eth0 promisc up
/sbin/ifconfig eth1 promisc up
/sbin/ifconfig bond0 promisc up
<wherever_your_ifenslave_binary_is>/ifenslave bond0 eth0
<wherever_your_ifenslave_binary_is>/ifenslave bond0 eth1

Then run snort with -i bond0.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sergio
Sent: Thursday, July 01, 2004 1:00 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Multiple sensors/interfaces, same daemon

Hey all, how do i configure a single snort daemon to act as a sensor on
two interfaces?  

When I try '-i any' i pick up alot of traffic from - which I'm
guessing is the loopback; however, I get none from eth1 and just fine
from eth0.  

Also, with 2 interfaces, how should the $HOME_NET and $EXTERNAL_NET be


This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list