Snort mailing list archives
RE: Configuration issue, Part II
From: "DJDave Sobel" <dave () evolvetech com>
Date: Mon, 24 Sep 2001 21:28:27 -0400
This was the kicker -- I needed to run multiple instances of snort, one bound to each interface. Interestingly, it was defaulting to eth0, which was a "very secure" interface and was having everything blocked by ipchains. Since I'm using snort to see everything that the firewall misses, this is now working great. Thanks for the help guys!! Dave -----Original Message----- From: root () cmc cwo net au [mailto:root () cmc cwo net au] On Behalf Of Chris Keladis Sent: Monday, September 24, 2001 8:44 AM To: DJDave Sobel Cc: 'Erek Adams'; snort-users () lists sourceforge net Subject: Re: [Snort-users] Configuration issue, Part II DJDave Sobel wrote: Hi Dave,
How do you specify which interface to use?
The -i switch to snort.
And of more importance to me, how do you specify binding to multiple interfaces? I'd like it to be watching traffic to all the internal networks, not just one... (that way, I can see what ipchains missed..)
This is in the Snort FAQ, but if you run a Linux 2.4 kernel and a special patch to Snort, and specify '-i any' Snort will monitor all interfaces (not certain if this patch has found it's way into mainstream Snort?) Failing that you can do as i have done and run a Snort instance on each interface. It works quite well especially if you use Demarc, since each Snort instance counts as a seperate sensor. I used the -I switch to make Snort list the interfaces in the ASCII alerts to make it easier to visualise where a packet came from. Visit the FAQ at www.snort.org for more specific details. Regards, Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Configuration issue, (continued)
- Re: Configuration issue John Sage (Sep 22)
- Re: Configuration issue Brian (Sep 23)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- Re: Configuration issue, Part II Erek Adams (Sep 23)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- RE: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II Greg Sarsons (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II John Berkers (Sep 25)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)