Re: Snort start up on Multiple interface

[Matt Kettler <mkettler () evi-inc com>]

At 01:02 PM 4/27/2004, Brian Webster wrote:
> I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
> I don't really want to get multiple intances of snort running unless that 
> is the only way.


AFAIK there's no support for specifying multiple interfaces to snort.

There's only 3 ways to do something like this:
        1) start multiple snorts
        2) create a bonded interface which combines all 4 and start snort 
on that.
        3) if you're on linux, you have the option of using "any" as an 
interface, which will pick up all the interfaces (including lo, if I'm not 
mistaken).


Fundamentally, a single snort opening 4 different ethernet ports is not 
substantialy lower overhead than 4 separate copies of snort, and the code 
is much less complex. Certainly the overhead savings is not enough to 
justify adding a ugly mess in the code that calls pcap, and add some minor 
slowdowns for every single-interface snort user.

Besides, bonded interfaces should let you do what you want without needing 
any support in the snort code.







-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users