Snort mailing list archives

RE: Snort start up on Multiple interface

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Tue, 27 Apr 2004 16:23:38 -0400

Hi Brian,

The only way that I know of and the way that I use is to use multiple
instances of snort with their own config files.  In my opinion this is
actually the best way and gives added benefits when logging to a database
and sniffing multiple segments of a network.  I would assume that the 4
interfaces you have are not all sniffing the same segment of your network,
and are on multiple segments of your network.  

The real added advantage to this solution is signature tuning.  By having
multiple config files you can have multiple signature lists.  One thing you
will quickly find is that one signature on one segment of your network will
produce many false positives while on a different segment it will produce
none.  By having multiple config files you can tailor each to the segment it
is watching and actually potentially increase the performance of snort by
weeding out the false positives in a more controlled manner.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107




-----Original Message-----
From: Brian Webster [mailto:bwebster () ACDSystems com]
Sent: April 27, 2004 1:02 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort start up on Multiple interface


Hi. I'm looking for a little "how-to" info to get Snort running on on a 4
port NIC. 
It seems as though any attempt to add reference to additional interfaces in
the etc/init.d/argus file are unsuccessful. (I am using the argus
installation on Redhat9.0)
I have tried comma separted values eth0,eth1,eth2,eth3. no luck.
I don't really want to get multiple intances of snort running unless that is
the only way. I'm just trying to get data logged from behind several
switches to one machine. Has anyone got any advise ? 

Brian


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort start up on Multiple interface Brian Webster (Apr 27)
- Message not available
  - Re: Snort start up on Multiple interface Matt Kettler (Apr 27)
    - Re: Snort start up on Multiple interface Daniel Wittenberg (Apr 27)
    - Re: Snort start up on Multiple interface Edin Dizdarevic (Apr 28)
    - Re: Snort start up on Multiple interface Matt Kettler (Apr 28)
    - Re: Snort start up on Multiple interface Edin Dizdarevic (Apr 28)
    - Re: Snort start up on Multiple interface Matt Kettler (Apr 28)
    - Re: Snort start up on Multiple interface Edin Dizdarevic (Apr 28)
    - Re: Snort start up on Multiple interface Milo Velimirovic (Apr 29)
- <Possible follow-ups>
- RE: Snort start up on Multiple interface Truax, Shawn (MBS) (Apr 27)