Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Binding snort to multiple interfaces

From: "Rolf A. Vaglid" <rolf () qt-developer org>
Date: Thu, 08 Apr 2004 02:09:20 +0200
eric-dated-1083277626.193075aa63e273 () catastrophe net wrote:


On Wed, 2004-04-07 at 16:48:17 -0500, eamonn doyle proclaimed...
Patrick is right, run 2 snort processes, here is what I use it will get you the eth0 and eth1 you want to differentiate between the interfaces. 

/usr/local/bin/snort -d -i eth0 -I -D
/usr/local/bin/snort -d -i eth1 -I -D
/usr/local/bin/snort -d -i eth2 -I -D
This works for me, I run it from the directory that contains the conf file and 
Thanks.

So then my question is: is any work being done on making multiple
interfaces possible? I'd think folks monitoring seperate interfaces
would enjoy this, especially if each alert was tagged with an
interface ID.

I use the Snort 2.1.2 rpms on Fedora Core 1 and it listens to my two VLAN-interfaces out-of-the-box.
The /etc/init.d/snort script contains the following:

       if [ "$INTERFACE" = "-i ALL" ]; then
          for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`
          do
               mkdir -p "$LOGDIR/$i"
               chown -R snort:snort $LOGDIR
               daemon /usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP 
$CONF -l $LOGDIR/$i $PASS_FIRST
          done
       else
          daemon/usr/sbin/snort $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP 
$CONF -l $LOGDIR $PASS_FIRST
       fi

This searches the /proc/sys/net/ipv4/conf/ directory for interfaces beginning with eth*.
/proc/sys/net/ipv4/conf/ contains configurations for all the interfaces, in my case:
all  default  eth0.188  eth0.4  lo
Since the script finds two interfaces whose names starts with eth*, it automatically starts two snort-instances, and each instance is assosiated with a separate sensor. 

If you are using VLANs like me, be aware that vlans might have different name-policies, (eth0.4, vlan0004, eth0004).
With this script only those beginning with eth will work. This is easy to fix if you have to use the vlan0004 method.

Cheers
Rolf









-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: