[Snort-users] Multi interface problem

Lodin, Steven steven.lodin at ...2524...
Mon Feb 28 13:39:20 EST 2005


Ah, great info. I was just thinking about this.  I haven't had time to try it yet and am not physically near my console so I have one question for both the "any" and "-i bond0" solutions:

- Does the image size of snort increase when you increase the number of interfaces being snorted?

I have a low-memory system monitoring a low-bandwidth home environment and I would not like to see the amount of memory consumed by snort double/triple/quadruple based on snorting 2/3/4 interfaces simultaneously.

Thanks,

Steve


> > El sáb, 26-02-2005 a las 14:49 +0800, abanger wu escribió:
> >> snort  -i eth0 eth1 eth2 -c /etc/snort/snort.conf
> >
> > You can't use this syntax, you can't use more than one
> > interface for the switch -i. If you are running Linux
> > you can use the interface "any" to ask snort to listen
> > on all interfaces.
> 
> Or, alternatively, bond them together, then use '-i bond0'. Jose's 
> suggestion is best if you want to use different 
> configurations for each 
> instance of snort (and even better if you have multiple CPUs 
> in your sensor 
> host), using bonding is better if you're happy with a single 
> configuration 
> and you want better tracking of the state of connections. Swings n' 
> roundabouts.




More information about the Snort-users mailing list