Snort mailing list archives
RE: Multiple sensors/interfaces, same daemon
From: "Murray, Todd" <Todd.Murray () adidasus com>
Date: Fri, 2 Jul 2004 12:07:59 -0700
The easiest way to do it is to just run separate processes. /usr/local/bin/snort -c /etc/snort/snort.eth0.conf -ieth0 -u snort -g snort -D /usr/local/bin/snort -c /etc/snort/snort.eth1.conf -ieth1 -u snort -g snort -D This way I can keep each sensor running completely separate of the other. If you want them to have them use 1 config just make sure to set HOME_NET to include the networks for both interfaces. var HOME_NET [10.1.1.0/24,24.57.12.0/24] Just remember that unless you specify the interface it will assume "any". I've found its much better to isolate snort as a non-privledged user/group and manage each interface as a separate sensor under separate processes. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sergio Caltagirone Sent: Thursday, July 01, 2004 11:00 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Multiple sensors/interfaces, same daemon Hey all, how do i configure a single snort daemon to act as a sensor on two interfaces? When I try '-i any' i pick up alot of traffic from 127.0.0.1 - which I'm guessing is the loopback; however, I get none from eth1 and just fine from eth0. Also, with 2 interfaces, how should the $HOME_NET and $EXTERNAL_NET be set? Thanks, Sergio ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple sensors/interfaces, same daemon Sergio Caltagirone (Jul 01)
- <Possible follow-ups>
- RE: Multiple sensors/interfaces, same daemon Joshua Berry (Jul 01)
- RE: Multiple sensors/interfaces, same daemon Murray, Todd (Jul 02)