[Snort-users] Multiple instances of snort on one box?
edin.dizdarevic at ...7509...
Fri Oct 22 02:06:11 EDT 2004
Matt Kettler wrote:
> At 03:39 PM 10/21/2004, Drew Stockman wrote:
> Depends a bit on your OS.. Most linuxes will support -i "any" which will
> allow a single snort process to sniff all three.. However, your results
> will be mixed together.
What I mislike on "any" is that it also will be capturing on loopback.
So remember to disable the appropriate rules. Unfortunately there is
some real traffic on the Internet claiming to be from 127.0.0.1. Since
the lo intarface has no MAC there is no to me known possibility to blend
this traffic out.
Additionally the promisc mode will not work with "-i any".
More information about the Snort-users