[Snort-users] snort with two interface

Leonardo Pezente lmpezente at ...11827...
Wed Dec 5 13:11:19 EST 2012


Jeremy, when u say "listen on the bonded interface" u means some think like
that: snort -c .. -i eth0:eth1 ... ? because i have tried that, and it
didnt work.
i like the idea of the afpacket, i didnt know u could use it in the ids
mode, usually people use it on snort inline.

2012/12/5 Michael Altizer <maltizer at ...1935...>

> Alternatively, you could just use the AFPacket DAQ module to listen on
> multiple interfaces.  Just make sure you don't put Snort in inline mode
> or it will bridge them.
>
> On 12/05/2012 11:53 AM, Jeremy Hoel wrote:
> > And without patching, you could bond the two interfaces together and
> > listen on the bonded interface.  The only downside of both of those
> > options is not knowing what NIC saw the bad traffic.. you could go of
> > IP of course, if that makes sense for your network design.
> >
> >
> >
> > On Wed, Dec 5, 2012 at 4:16 PM, Jaime Nebrera <jnebrera at ...11827...>
> wrote:
> >>    Hi Leonardo,
> >>
> >>    This is not fully right. With proper patching Snort can read from
> multiple
> >> interfaces within the same instance. This is BTW, what we have done in
> >> redBorder project
> >>
> >>
> >> On 05/12/12 17:11, Leonardo Pezente wrote:
> >>
> >> yeah yuo were right, i just can run one interface per instance of snort
> i
> >> run.
> >> thanks James
> >> 2012/12/5 Lay, James <james.lay at ...15009...>
> >>>
> >>>
> >>>
> >>>
> >>> From: Leonardo Pezente [mailto:lmpezente at ...11827...]
> >>> Sent: Wednesday, December 05, 2012 8:52 AM
> >>> To: snort-users at lists.sourceforge.net
> >>> Subject: [Snort-users] snort with two interface
> >>>
> >>>
> >>>
> >>> i have the snort in the border of a network, and how this topic shows,
> it
> >>> has two interface. i have put the HOME_NET equal to the ip of the both
> >>> interfaces.
> >>>
> >>> the think is: in one of them i can detect attacks, but in the other i
> >>> cant.
> >>>
> >>> when i start to test, i was using just one (the iterface that is
> >>> detecting).
> >>>
> >>> but i need particular that the other detect too. so, what could be
> wrong?
> >>>
> >>> my snort.conf is working fine, and i he is starting on boot sniffing
> both
> >>> interface.
> >>>
> >>> This might be a problem with pcap?
> >>>
> >>>
> >>>
> >>> I believe Snort can only listen on one interface at a time, so you may
> >>> want to run two separate instances of snort.
> >>>
> >>>
> >>>
> >>> James
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> >> Remotely access PCs and mobile devices and provide instant support
> >> Improve your efficiency, and focus on delivering more value-add services
> >> Discover what IT Professionals Know. Rescue delivers
> >> http://p.sf.net/sfu/logmein_12329d2d
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> >> Remotely access PCs and mobile devices and provide instant support
> >> Improve your efficiency, and focus on delivering more value-add services
> >> Discover what IT Professionals Know. Rescue delivers
> >> http://p.sf.net/sfu/logmein_12329d2d
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> ------------------------------------------------------------------------------
> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> > Remotely access PCs and mobile devices and provide instant support
> > Improve your efficiency, and focus on delivering more value-add services
> > Discover what IT Professionals Know. Rescue delivers
> > http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121205/8f3833ff/attachment.html>


More information about the Snort-users mailing list