[Snort-users] Snort Install for monitoring 5 interfaces?

Chris Vaughan chrisv at ...12963...
Tue Feb 8 08:18:10 EST 2005


You will have to have a separate snort process running for each interface you want to listen on.
 
Like so:
/usr/sbin/snort -A full -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth0
/usr/sbin/snort -A full -d -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
/usr/sbin/snort -A full -d -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
/usr/sbin/snort -A full -d -D -i eth3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth3
/usr/sbin/snort -A full -d -D -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth4
 
Now, the script that comes with the Snort rpms will spawn a separate snort for each interface you specify in the /etc/sysconfig/snort configuration file.  I don't know if the source distribution comes with such a script, but it probably does.
 
Hope that helps,
Chris Vaughan
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net]On Behalf Of sEc nErD
Sent: Tuesday, February 08, 2005 10:21 AM
To: Leon Ward
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Install for monitoring 5 interfaces?
 
Hi LEon, 
Thanks for your reply.Ok right now i have set it up in a test lab enviornment and its listening on one interface.I am still not clear what i would have to do for listening on 5 different interfaces???
i have the acid up and running just not contacting the mysql database but tht i will struggle and work around,but i do need to understand the part for 5 interfaces...could you please detail on thzt
thanks


Leon Ward <leon at ...9950...> wrote:
Hi
Sorry if this is a bit quick, but in a rush.

snort needs to connect to a single interface on start-up, this leaves
you with two options.
A) Have multiple snort instances running bound to each interface.
- This will allow you to customise the configuration for each, I assume
you will want to protect different things on the DMZ compared to the
internal_net
B) Team the interfaces together so you can attach snort to interface
bond0 

Take a look at the following link, it may answer a few questions (I'm a
debian man myself)
http://www.ms.washington.edu/Docs/Linux/rhel-rg-en-3/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN


Hope the above helps.


-Leon


On Sun 2005-02-06 at 06:04 -0800, sEc nErD wrote:
> hi all,
> We ahve to install snort on a box running fedora.
> And this snort is supposed to listen on 5 interfaces 
> inside pix,outside pix and 3 dmz's.
> 
> could anyone give some precautions and pointers for
> the install to be taken since its going to listen on 5
> interfaces .Right now am building the box from scratch
> by putting in network cards and installing fedora on
> it ,any precuation on that stage??
> 
> thanks all in advance
> 
> 
> 
> 
> 
> 
> 
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Mail - You care about security. So do we. 
> http://promotions.yahoo.com/new_mail
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
&g t; Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
  _____  

Do you Yahoo!?
Yahoo! Search presents - Jib <http://us.rd.yahoo.com/evt=30648/*http://movies.yahoo.com/movies/feature/jibjabinaugural.html>  Jab's 'Second Term'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050208/97a93904/attachment.html>


More information about the Snort-users mailing list