[Snort-users] Multi interface problem
steven.lodin at ...2524...
Mon Feb 28 13:39:20 EST 2005
Ah, great info. I was just thinking about this. I haven't had time to try it yet and am not physically near my console so I have one question for both the "any" and "-i bond0" solutions:
- Does the image size of snort increase when you increase the number of interfaces being snorted?
I have a low-memory system monitoring a low-bandwidth home environment and I would not like to see the amount of memory consumed by snort double/triple/quadruple based on snorting 2/3/4 interfaces simultaneously.
> > El sáb, 26-02-2005 a las 14:49 +0800, abanger wu escribió:
> >> snort -i eth0 eth1 eth2 -c /etc/snort/snort.conf
> > You can't use this syntax, you can't use more than one
> > interface for the switch -i. If you are running Linux
> > you can use the interface "any" to ask snort to listen
> > on all interfaces.
> Or, alternatively, bond them together, then use '-i bond0'. Jose's
> suggestion is best if you want to use different
> configurations for each
> instance of snort (and even better if you have multiple CPUs
> in your sensor
> host), using bonding is better if you're happy with a single
> and you want better tracking of the state of connections. Swings n'
More information about the Snort-users