[Snort-users] Snort on multiple interfaces

Nick Hatch nick at ...11410...
Wed Nov 3 21:53:11 EST 2004


Never done it before, but there's an entry in the Snort FAQ which covers 
this:

http://www.snort.org/docs/FAQ.txt

>3.6 How can I run snort on multiple interfaces simultaneously.
>
>LINUX: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
>available) the only way is to run multiple instances of snort, one instance per
>interface (with the -i option specifying the interface). However for linux
>2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch
>which allows you to specify 'any' as interface name. In this case snort will be
>able to process traffic coming to all interfaces.
>
>*BSD: Use the ``bridge'' interface to combine your nics into a logical
>interface (bridge0).
>


Jeffries, Michael MJ wrote:

> Hi there,
>
> I have a box with 3 interfaces pointing at different networks, I am 
> running fedora 9.2. How can I get snort to sniff on more than one 
> interface?
>
> Do I just start two sessions of snort up as follows ?
>
> snort -c /etc/snort/snort.conf -i eth0 &
> snort -c /etc/snort/snort.conf -i eth1 &
>
> Or is there a better way to do this?
>
> Thanks a ton
> Mike
>




More information about the Snort-users mailing list