[Snort-users] Problem with the '-i' option

Alex Tatistcheff alex.tatistcheff at ...11827...
Wed Nov 4 10:57:22 EST 2009

To check and see if it's a problem with your bridge setup try using tcpdump
and see if you get the same results, i.e. tcpdump -i br1 -vXs0

Alex Tatistcheff
alext at ...492...

-- When a convicted terrorist was sentenced to face Jack Bauer, he appealed
to have the sentence reduced to death.

On Mon, Nov 2, 2009 at 2:17 AM, Eric S <ericseligman at ...125...> wrote:

>  Hello everyone,
> I am having a bit of a problem getting Snort to run on different interfaces
> on Linux. I have a bridge setup (br0) that is bridged with eth1 (my primary
> physical interface connected to the network). I also have another bridge
> (br1) that connects a number of other virtual interfaces (mostly for VM's),
> such as vif1, vif2, etc. My issue is when I issue a command such as:
> snort -i br1 -dev
> All I see is traffic from br0. This occurs with every other interface on my
> system. No errors are generated, however when snort is initialized (no
> matter the interface specified, even if its jiberish) I see this
> information:
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> ***
> *** interface device lookup found: br0
> ***
> Initializing Network Interface br0
> Decoding Ethernet on interface br0
> So it seems to me that snort is ignoring my '-i' switch, and just using the
> first active interface, which would be br0. It would appear that there may
> be an issue with the interface detection script, in that it is only see
> "br0" as active. However, this certainly seems like a bug because A.)
> Network traffic flows as excepted from each of the interfaces, and B.)
> tcpdump -i works perfectly on all the interfaces.
> So the question is, does anyone have an idea as to what is going wrong, or
> what I can do to remidy this issue? I've searched for hours on this issue
> and havent found much, so any help would be appreciated.
> Thanks,
> Eric
> ------------------------------
> New Windows 7: Find the right PC for you. Learn more.<http://www.microsoft.com/windows/pc-scout/default.aspx?CBID=wl&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_pcscout:112009>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091104/c97f2169/attachment.html>

More information about the Snort-users mailing list