Snort mailing list archives

Re: [Snorting 2 NICs]

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 11 Jun 2002 10:46:00 -0700 (PDT)

On Tue, 11 Jun 2002, Gregory D Hough wrote:

[...snip...]

...here is where the trouble begins. The -I switch will not work at all for
either command:
]# snort -c /usr/local/etc/snort/snortext.conf -I eth1
Log directory = /var/log/snort

Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
      parse error
PCAP command: eth1
Fatal Error, Quitting..


Ok, lets take a quick check on the snort options:

        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output

Now, you have just told snort that you want to add the interface name to the
output.  Then you tried to send it a BPF filter of 'eth1' which it doesn't
understand.

But the swich -i does:
]# snort -c /usr/local/etc/snort/snortext.conf -i eth1
Log directory = /var/log/snort


[...snip...]

Works as supposed to.  :)

The best way for you to do what you want:

        snort -c /etc/snort.internal.conf -i eth1 -I
        snort -c /etc/snort.external.conf -i eth0 -I


One thing I should mention is that being sort of a newbie, I am trying to
administer most servers /etc from the Webmin GUI. Don't laugh, it is a good
learning tool. I am comfortable at the command line however. The Webmin tool
only allows me to set up a single interface. So I use it for the internal and
fire up the external via the shell. Just out of curiosity, is it possible to
initialize both interfaces with a single command? For example, Sandro offered
a snort.multi script, but it was way out of my league. I do run a few scripts
for port forwarding to a win box, but they are very simple.

From the FAQ:


        http://www.snort.org/docs/faq.html#3.4

You can easily build your own startup script that will fire off two instances
with different configs on different nets.  It doesn't take that much to
understand how to write shell scripts--Once you get that down, it's all
downhill from there. :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[Snorting 2 NICs] Gregory D Hough (Jun 10)
- Re: [Snorting 2 NICs] Petr Ruzicka (Jun 10)
- <Possible follow-ups>
- RE: [Snorting 2 NICs] McCammon, Keith (Jun 10)
  - RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 10)
    - Re: [Snorting 2 NICs] Gregory D Hough (Jun 11)
    - Re: [Snorting 2 NICs] Erek Adams (Jun 11)
    - RE: [Snorting 2 NICs] K.S.NARAYANAN (Jun 11)
    - Re: [Snorting 2 NICs] Martin Forest (Jun 13)
- FW: [Snorting 2 NICs] McCammon, Keith (Jun 10)
- RE: [Snorting 2 NICs] COULOMBE, TROY (Jun 11)