[Snort-users] Multiple instances of snort on one box?

Edin Dizdarevic edin.dizdarevic at ...7509...
Fri Oct 22 02:06:11 EDT 2004


Hi,

Matt Kettler wrote:

> At 03:39 PM 10/21/2004, Drew Stockman wrote:

...
> 
> Depends a bit on your OS.. Most linuxes will support -i "any" which will 
> allow a single snort process to sniff all three.. However, your results 
> will be mixed together.

What I mislike on "any" is that it also will be capturing on loopback.
So remember to disable the appropriate rules. Unfortunately there is
some real traffic on the Internet claiming to be from 127.0.0.1. Since 
the lo intarface has no MAC there is no to me known possibility to blend
this traffic out.

Additionally the promisc mode will not work with "-i any".

So beware.

Regards,
Edin


-- 
Edin Dizdarevic




More information about the Snort-users mailing list