Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous mode on only one interface

From: "Patrick S. Harper" <lists () internetsecurityguru com>
Date: 29 Mar 2003 17:08:49 -0800
This will most likely be the first of many responses that read somewhat
like the following:

http://www.snort.org/docs/faq.html#3.4

--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously. 

A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF
available) the only way is to run multiple instances of snort, one
instance per interface (with the -i option specifying the interface).
However for linux 2.1.x/2.2.x and higher you can use libpcap library
with S. Krahmer's patch which allows you to specify 'any' as interface
name. In this case snort will be able to process traffic coming to all
interfaces.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--


On Sat, 2003-03-29 at 14:36, Brei, Matt wrote:

Greetings,
 
I am using snort 1.9.1 on Red Hat 8.0.  The machine has 2 NICs, one for
Internet and one for LAN, and is running an iptables script to route and
firewall the connection to the Internet.  Everything is working great,
but I can't get snort to listen on both interfaces.  I would like to see
what snort picks up before the firewall has a chance to drop it.  I'm
not sure if it has anything to do with it, but eth0 (LAN) is the only of
the two that runs in promiscuous mode.  Any advice would be appreciated.
 
 
Matt

-- 
Patrick S. Harper | CISSP MCSE
patrick () internetsecurityguru com
www.internetsecurityguru.com

"If we aren't supposed to eat 
animals, why are they made
of meat?"




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: