[Snort-users] Snort with two sniffing interfaces

Alejandro Cabrera Obed aco1967 at ...11827...
Tue May 18 13:34:56 EDT 2010


In my case, I use the same snort.conf configuration file to start both
snort instances:

- The first instance run as a Windows service and listen on sniffing
interface #2
- The second instance run as a DOS script and listen on sniffing interface #3

After that I see the logs in the BASE console, so I suppose they run OK.

If anybody can add something, welcome !!!

Regards.



2010/5/18 Andy Berryman <aberryman at ...14758...>:
> So, if you want to use snort to sniff on two interfaces, how do you use the
> same config file? Is that possible?  Or should I just bond them and make
> snort listen on the bonded interface?
>
>
>
> When I try it like this, I get errors b/c of the .so rules.
>
>
>
> /snort/snort -D -N -i eth0 -i eth1 -c /snort/conf/snort.conf
>
>
>
> May 18 17:05:54 (none) snort[14547]: FATAL ERROR:
> /snort/conf/snort.rules(46) : pcre compile of
> "(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(SetFormatLikeSample|CreateFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(SetFormatLikeSample|CreateFile))\s*\("
> failed at offset 30 : unrecognized character after (?
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alejandro Cabrera Obed
aco1967 at ...11827...
www.alejandrocabrera.com.ar




More information about the Snort-users mailing list