[Snort-users] Snort on multiple interfaces

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Thu Nov 4 01:03:17 EST 2004


--On 03 November 2004 18:38 +0200 "Jeffries, Michael MJ" 
<Michael.Jeffries at ...10703...> wrote:

> I have a box with 3 interfaces pointing at different networks, I am
> running fedora 9.2. How can I get snort to sniff on more than one
> interface?
>
> Do I just start two sessions of snort up as follows ?
>
> snort -c /etc/snort/snort.conf -i eth0 &
> snort -c /etc/snort/snort.conf -i eth1 &

That's one, perfectly acceptable, way.

> Or is there a better way to do this?

A different approach (which may be "better" depending on what you're trying 
to achieve) is to bond together the physical interfaces to a single 
interface, and have one instance of Snort sniffing from that. The advantage 
of doing this is that snort can track state across multiple segments. The 
(possible) disadvantage is that you can only use one policy per bond 
interface (i.e. one per instance of Snort).

<http://www.redhat.com/archives/redhat-install-list/2003-July/msg00665.html> 
gives a bit more detail on setting up bonding with RH-like OSs such as 
Fedora. Note that you probably don't want to bind an IP address to bond0 
(or whatever) if you're using it for Snort.

> Thanks a ton
> Mike

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list