[Snort-users] snort with two interface

Jeremy Hoel jthoel at ...11827...
Wed Dec 5 13:08:09 EST 2012


Didn't know that.  nice.  I haven't played with the DAQ's much or
looked at the differences and options.  Very cool.

How would you report that interface that it came on for by2?



On Wed, Dec 5, 2012 at 5:52 PM, Michael Altizer <maltizer at ...1935...> wrote:
> Alternatively, you could just use the AFPacket DAQ module to listen on
> multiple interfaces.  Just make sure you don't put Snort in inline mode
> or it will bridge them.
>
> On 12/05/2012 11:53 AM, Jeremy Hoel wrote:
>> And without patching, you could bond the two interfaces together and
>> listen on the bonded interface.  The only downside of both of those
>> options is not knowing what NIC saw the bad traffic.. you could go of
>> IP of course, if that makes sense for your network design.
>>
>>
>>
>> On Wed, Dec 5, 2012 at 4:16 PM, Jaime Nebrera <jnebrera at ...11827...> wrote:
>>>    Hi Leonardo,
>>>
>>>    This is not fully right. With proper patching Snort can read from multiple
>>> interfaces within the same instance. This is BTW, what we have done in
>>> redBorder project
>>>
>>>
>>> On 05/12/12 17:11, Leonardo Pezente wrote:
>>>
>>> yeah yuo were right, i just can run one interface per instance of snort i
>>> run.
>>> thanks James
>>> 2012/12/5 Lay, James <james.lay at ...15009...>
>>>>
>>>>
>>>>
>>>>
>>>> From: Leonardo Pezente [mailto:lmpezente at ...11827...]
>>>> Sent: Wednesday, December 05, 2012 8:52 AM
>>>> To: snort-users at lists.sourceforge.net
>>>> Subject: [Snort-users] snort with two interface
>>>>
>>>>
>>>>
>>>> i have the snort in the border of a network, and how this topic shows, it
>>>> has two interface. i have put the HOME_NET equal to the ip of the both
>>>> interfaces.
>>>>
>>>> the think is: in one of them i can detect attacks, but in the other i
>>>> cant.
>>>>
>>>> when i start to test, i was using just one (the iterface that is
>>>> detecting).
>>>>
>>>> but i need particular that the other detect too. so, what could be wrong?
>>>>
>>>> my snort.conf is working fine, and i he is starting on boot sniffing both
>>>> interface.
>>>>
>>>> This might be a problem with pcap?
>>>>
>>>>
>>>>
>>>> I believe Snort can only listen on one interface at a time, so you may
>>>> want to run two separate instances of snort.
>>>>
>>>>
>>>>
>>>> James
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list