[Snort-users] Snort with two sniffing interfaces

Joel Esler jesler at ...1935...
Thu May 20 09:44:49 EDT 2010

On May 20, 2010, at 3:24 AM, Edward Bjarte Fjellskål wrote:
> Crook, Parker wrote:
>> Either run two instances:
>> /snort/snort -D -N -i eth0 -c /snort/conf/snort.conf
>> /snort/snort -D -N -i eth1 -c /snort/conf/snort.conf
>> or bond the interfaces:
>> /snort/snort -D -N -i bond0 -c /snort/conf/snort.conf
>> Personally I run two instances because I have two logically different
>> environments I am sniffing and want/need to run two different configs;
>> if I didn’t have this need I would probably go the bonded route.
> Hi,
> I Just wanted to add the little talked about feature of snort, where
> you can define virtual networks, example:
> config binding: /etc/snort/vips/snort-0.conf net
> config binding: /etc/snort/vips/snort-1.conf net
> config binding: /etc/snort/vips/snort-2.conf net
> So, you have a default /etc/snort/snort.conf and configure that as
> a fall-back configuration (Catch all traffic not handled by your
> virtual configs) and then add the statements above. You can then
> configure snort-0.conf, snort-1.conf, snort-2.conf to handle their
> respective traffic (Variables, rules, preprocessors etc).
> In this case, if you have:
> on eth1
> on eth2
> on eth3
> you would need to bond them together and have snort listen on the bonded
> interface.
> My gut feelings are that there are some performance and memory benefits
> firing up one instance of snort configured with virtual-networks, then
> firing up X instances of snort, but I have not done any tests.
> *I would like to hear thoughts from other playing with this feature*
> Best regards,
> Edward Fjellskål

As an added note, you can also do virtual binding by VLAN as well.  I encourage those of you that are interested in this feature (which is great, I've used it several times at several different installations already), to check out README.multipleconfigs in the doc/ directory of the Snort Tarball.

Joel Esler

More information about the Snort-users mailing list