Snort mailing list archives
Re: Snort startup with multiple interfaces
From: Douglas Hart <douglas () eu kddi com>
Date: Thu, 11 Sep 2003 11:52:59 +0100
Not sure about FreeBSD, but you can do this on OpenBSD by configuring NIC 1 and 2 as bridge interfaces (learn and discover disabled). Snort can then listen to the combined TX/RX traffic on the logical bridge0 interface.
Rgds, Doug Jade E. Deane wrote the following on 11/09/2003 02:53:
How about a FreeBSD machine being used as a sensor, where the ingress and egress traffic comes in mirrored on different interfaces. I have a physical Ethernet tap that takes TX traffic to NIC 1, and RX traffic to NIC 2. I run separate snort instances for each.... to me, this is, well, stupid. There must be a better way, or a method of combinging the TX/RX data to one logical interface, in lieu of using a switch SPAN or mirror port. Regards, Jade On Wed, 2003-09-10 at 11:12, J.Mann wrote:Since I have 4 eth commands there, will Snort take them all and listenon each interface?This is mentioned in the FAQ: http://www.snort.org/docs/faq.html#3.4 Regards, Jon Mann On Wed, Sep 10, 2003 at 11:11:28AM -0400, Frye, Dan wrote:I'm running Snort 2.01 on linux. I'm using the command line: /app/snort/bin/snort -U -d -D -c -o /app/snort/snort.conf -i eth0 -i eth1 -i eth3 -i eth4 Since I have 4 eth commands there, will Snort take them all and listen on each interface? I don't have my taps yet so I can't test it, but am hoping someone can confirm or deny this config. Thanks. d ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort startup with multiple interfaces Frye, Dan (Sep 10)
- Re: Snort startup with multiple interfaces J.Mann (Sep 10)
- Re: Snort startup with multiple interfaces Jade E. Deane (Sep 10)
- Re: Snort startup with multiple interfaces Douglas Hart (Sep 11)
- Re: Snort startup with multiple interfaces Jade E. Deane (Sep 10)
- <Possible follow-ups>
- Re: Snort startup with multiple interfaces Matt Kettler (Sep 10)
- Re: Snort startup with multiple interfaces J.Mann (Sep 10)