[Snort-users] Snort on multiple interfaces
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Thu Nov 4 01:03:17 EST 2004
--On 03 November 2004 18:38 +0200 "Jeffries, Michael MJ"
<Michael.Jeffries at ...10703...> wrote:
> I have a box with 3 interfaces pointing at different networks, I am
> running fedora 9.2. How can I get snort to sniff on more than one
> Do I just start two sessions of snort up as follows ?
> snort -c /etc/snort/snort.conf -i eth0 &
> snort -c /etc/snort/snort.conf -i eth1 &
That's one, perfectly acceptable, way.
> Or is there a better way to do this?
A different approach (which may be "better" depending on what you're trying
to achieve) is to bond together the physical interfaces to a single
interface, and have one instance of Snort sniffing from that. The advantage
of doing this is that snort can track state across multiple segments. The
(possible) disadvantage is that you can only use one policy per bond
interface (i.e. one per instance of Snort).
gives a bit more detail on setting up bonding with RH-like OSs such as
Fedora. Note that you probably don't want to bind an IP address to bond0
(or whatever) if you're using it for Snort.
> Thanks a ton
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users