Snort mailing list archives
Re: Multiple IF
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 18 Aug 2001 12:47:53 -0700 (PDT)
On Sat, 18 Aug 2001, Andrew Stubbs wrote:
I have tried setting snort to run on multiple interfaces in 2 ways 1) Using multiple address/masks (implicit ip HOME_NET [xxx.xxx.xxx.xxx/32,yyyy.yyyy.yyyy.yyyy/32] 2) Using seperate instances of snort with diff config files. Also tried using HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS] produces an error (snort: [!] ERROR /etc/snort/rules/snort2.conf (40): Bad value in variable definition! snort: FATAL ERROR: Make sure you don't have a "$" in the var name ) In either event the second i/f never goes into promisc mode and thus no packets logged. Running: Linux 2.4.2., latest libpcap etc, Snort Version 1.8.1-beta7. Dual nic (3c59x)
Two suggestions: Go to 1.8.1-RELEASE; go grab the 0.6.2 version of libpcap, if you don't have it (you didn't specify the version so I'm guessing). With that you should be able to have it use any interfaces. You can use "-i any" to have one proc look at both nics on a Linux box, IIRC. Disclaimer: I'm not a Linux person, in any way--So I might be smokin' crack on this one.... :) Any Linux folks out there want to correct my cluelessness? ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple IF Andrew Stubbs (Aug 18)
- Re: Multiple IF Jason Costomiris (Aug 18)
- Re: Multiple IF Erek Adams (Aug 18)
- Re: Multiple IF Phil Wood (Aug 18)
- <Possible follow-ups>
- RE: Multiple IF Tom Sevy (Aug 18)