[Snort-users] Multiple sensors/interfaces, same daemon

Murray, Todd Todd.Murray at ...12036...
Fri Jul 2 12:09:01 EDT 2004


The easiest way to do it is to just run separate processes.

/usr/local/bin/snort -c /etc/snort/snort.eth0.conf -ieth0 -u snort -g snort
-D
/usr/local/bin/snort -c /etc/snort/snort.eth1.conf -ieth1 -u snort -g snort
-D

This way I can keep each sensor running completely separate of the other.
If you want them to have them use 1 config just make sure to set HOME_NET to
include the networks for both interfaces.  

var HOME_NET [10.1.1.0/24,24.57.12.0/24]

Just remember that unless you specify the interface it will assume "any".
I've found its much better to isolate snort as a non-privledged user/group
and manage each interface as a separate sensor under separate processes.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sergio
Caltagirone
Sent: Thursday, July 01, 2004 11:00 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Multiple sensors/interfaces, same daemon


Hey all, how do i configure a single snort daemon to act as a sensor on two
interfaces?  

When I try '-i any' i pick up alot of traffic from 127.0.0.1 - which I'm
guessing is the loopback; however, I get none from eth1 and just fine from
eth0.  

Also, with 2 interfaces, how should the $HOME_NET and $EXTERNAL_NET be set?

Thanks,
Sergio



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black
Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list