[Snort-users] Snort on multiple interfaces

Nick Hatch nick at ...11410...
Wed Nov 3 21:53:11 EST 2004

Never done it before, but there's an entry in the Snort FAQ which covers 


>3.6 How can I run snort on multiple interfaces simultaneously.
>LINUX: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
>available) the only way is to run multiple instances of snort, one instance per
>interface (with the -i option specifying the interface). However for linux
>2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch
>which allows you to specify 'any' as interface name. In this case snort will be
>able to process traffic coming to all interfaces.
>*BSD: Use the ``bridge'' interface to combine your nics into a logical
>interface (bridge0).

Jeffries, Michael MJ wrote:

> Hi there,
> I have a box with 3 interfaces pointing at different networks, I am 
> running fedora 9.2. How can I get snort to sniff on more than one 
> interface?
> Do I just start two sessions of snort up as follows ?
> snort -c /etc/snort/snort.conf -i eth0 &
> snort -c /etc/snort/snort.conf -i eth1 &
> Or is there a better way to do this?
> Thanks a ton
> Mike

More information about the Snort-users mailing list