[Snort-users] Multiple NICs in a Linux box and Snort

Bennett Todd bet at ...6163...
Fri Nov 19 11:04:05 EST 2004


2004-11-19T18:51:20 Lyndon Tiu:
> It can monitor multiple NICs.

One some platforms it can, Linux is one of them.

> From snort.conf:

But HOME_NET has nothing to do with it; you can run snort fine with
HOME_NET undefined. It's a tuning parameter for teaching snort your
network config, so it can analyze the traffic it sees more
knowlegeably.

But the traffic it sees is controlled by the interface arg to -i on
the snort cmdline. One some platforms, including Linux with at least
some libpcaps, you can go "-i any" if you want to listen on _all_
NICs attached to the system, or you can specify one single NIC.
Those are your choices there.

For a very common case, where you need to aggregate the traffic
coming in on two NICs coming from a network tap, but don't want to
be snorting the mgmt interface, Linux's bonding driver is the
ticket. You can bond unnumbered NICs, just ignore the errors
ifenslave gives, it's annoyed because it can't properly configure
the IP addrs, but we don't care. Check the networking/bonding.txt in
the kernel docs for details, especially noting the "Promiscuous
Sniffing notes" section.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041119/7ce14349/attachment.sig>


More information about the Snort-users mailing list