Re: two interfaces?

[Bennett Todd <bet () rahul net>]

2002-09-23-17:04:15 Erek Adams:
> On Mon, 23 Sep 2002, Daniel Curry wrote:
> > Which is better?
> > Having one snort daemon run with two "-i" option
> > or have multiple snort daemon with one "-i" option?
> > We would like to monitor two promiscuous interface.
>
> You can't use multiple -i statements and have snort sniff two interfaces.  If
> you are using Linux kernel 2.3+ you can use the '-i any' instead.  Otherwise,
> use two instances.

Or, if you e.g. wish to sniff two unnumbered interfaces but not your
numbered (mgmt) interface; and if you wish to have one snort
instance watching both those interfaces (in case e.g. outbound
packets of a connection are seen on one interface and return packets
are seen on the other), then you could bond the channels. With
recent Linuxes that'd be described in the kernel src tree in
Documentation/networking/bonding.txt; in short, it's something like
a one-time:

        echo alias bond0 bonding >>/etc/modules.conf

then boot-time:

        ifconfig bond0 up
        ifenslave bond0 eth1
        ifenslave bond0 eth2
        snort -i bond0 ...

-Bennett

Attachment: _bin
Description: