[Snort-users] snort with two interface

Jeremy Hoel jthoel at ...11827...
Wed Dec 5 13:26:10 EST 2012


No, you define a bonded interface up front (bond0) and then use that
bonded interface as the name '-i bond0'


in your network.interfaces file, it looks like kind of this (debian based):

auto bond0
iface bond0 inet manual
 bond-slaves none
 bond-mode 0
 bond-miimon 100
 up ifconfig bond0 promisc up

auto eth1
iface eth1 inet manual
 up ifconfig eth1 promisc up
 bond-master bond0
 bond-primary eth1 eth2

auto eth2
iface eth2 inet manual
 up ifconfig eth2 promisc up
 bond-master bond0
 bond-primary eth1 eth2




On Wed, Dec 5, 2012 at 6:11 PM, Leonardo Pezente <lmpezente at ...11827...> wrote:
> Jeremy, when u say "listen on the bonded interface" u means some think like
> that: snort -c .. -i eth0:eth1 ... ? because i have tried that, and it didnt
> work.
> i like the idea of the afpacket, i didnt know u could use it in the ids
> mode, usually people use it on snort inline.
>
> 2012/12/5 Michael Altizer <maltizer at ...1935...>
>>
>> Alternatively, you could just use the AFPacket DAQ module to listen on
>> multiple interfaces.  Just make sure you don't put Snort in inline mode
>> or it will bridge them.
>>
>> On 12/05/2012 11:53 AM, Jeremy Hoel wrote:
>> > And without patching, you could bond the two interfaces together and
>> > listen on the bonded interface.  The only downside of both of those
>> > options is not knowing what NIC saw the bad traffic.. you could go of
>> > IP of course, if that makes sense for your network design.
>> >
>> >
>> >
>> > On Wed, Dec 5, 2012 at 4:16 PM, Jaime Nebrera <jnebrera at ...11827...>
>> > wrote:
>> >>    Hi Leonardo,
>> >>
>> >>    This is not fully right. With proper patching Snort can read from
>> >> multiple
>> >> interfaces within the same instance. This is BTW, what we have done in
>> >> redBorder project
>> >>
>> >>
>> >> On 05/12/12 17:11, Leonardo Pezente wrote:
>> >>
>> >> yeah yuo were right, i just can run one interface per instance of snort
>> >> i
>> >> run.
>> >> thanks James
>> >> 2012/12/5 Lay, James <james.lay at ...15009...>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> From: Leonardo Pezente [mailto:lmpezente at ...11827...]
>> >>> Sent: Wednesday, December 05, 2012 8:52 AM
>> >>> To: snort-users at lists.sourceforge.net
>> >>> Subject: [Snort-users] snort with two interface
>> >>>
>> >>>
>> >>>
>> >>> i have the snort in the border of a network, and how this topic shows,
>> >>> it
>> >>> has two interface. i have put the HOME_NET equal to the ip of the both
>> >>> interfaces.
>> >>>
>> >>> the think is: in one of them i can detect attacks, but in the other i
>> >>> cant.
>> >>>
>> >>> when i start to test, i was using just one (the iterface that is
>> >>> detecting).
>> >>>
>> >>> but i need particular that the other detect too. so, what could be
>> >>> wrong?
>> >>>
>> >>> my snort.conf is working fine, and i he is starting on boot sniffing
>> >>> both
>> >>> interface.
>> >>>
>> >>> This might be a problem with pcap?
>> >>>
>> >>>
>> >>>
>> >>> I believe Snort can only listen on one interface at a time, so you may
>> >>> want to run two separate instances of snort.
>> >>>
>> >>>
>> >>>
>> >>> James
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> >> Remotely access PCs and mobile devices and provide instant support
>> >> Improve your efficiency, and focus on delivering more value-add
>> >> services
>> >> Discover what IT Professionals Know. Rescue delivers
>> >> http://p.sf.net/sfu/logmein_12329d2d
>> >>
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> >> Remotely access PCs and mobile devices and provide instant support
>> >> Improve your efficiency, and focus on delivering more value-add
>> >> services
>> >> Discover what IT Professionals Know. Rescue delivers
>> >> http://p.sf.net/sfu/logmein_12329d2d
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >
>> > ------------------------------------------------------------------------------
>> > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> > Remotely access PCs and mobile devices and provide instant support
>> > Improve your efficiency, and focus on delivering more value-add services
>> > Discover what IT Professionals Know. Rescue delivers
>> > http://p.sf.net/sfu/logmein_12329d2d
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort news!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list