Snort mailing list archives
Re: snort with two interface
From: Leonardo Pezente <lmpezente () gmail com>
Date: Wed, 5 Dec 2012 16:11:19 -0200
Jeremy, when u say "listen on the bonded interface" u means some think like that: snort -c .. -i eth0:eth1 ... ? because i have tried that, and it didnt work. i like the idea of the afpacket, i didnt know u could use it in the ids mode, usually people use it on snort inline. 2012/12/5 Michael Altizer <maltizer () sourcefire com>
Alternatively, you could just use the AFPacket DAQ module to listen on multiple interfaces. Just make sure you don't put Snort in inline mode or it will bridge them. On 12/05/2012 11:53 AM, Jeremy Hoel wrote:And without patching, you could bond the two interfaces together and listen on the bonded interface. The only downside of both of those options is not knowing what NIC saw the bad traffic.. you could go of IP of course, if that makes sense for your network design. On Wed, Dec 5, 2012 at 4:16 PM, Jaime Nebrera <jnebrera () gmail com>wrote:Hi Leonardo, This is not fully right. With proper patching Snort can read frommultipleinterfaces within the same instance. This is BTW, what we have done in redBorder project On 05/12/12 17:11, Leonardo Pezente wrote: yeah yuo were right, i just can run one interface per instance of snortirun. thanks James 2012/12/5 Lay, James <james.lay () wincofoods com>From: Leonardo Pezente [mailto:lmpezente () gmail com] Sent: Wednesday, December 05, 2012 8:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort with two interface i have the snort in the border of a network, and how this topic shows,ithas two interface. i have put the HOME_NET equal to the ip of the both interfaces. the think is: in one of them i can detect attacks, but in the other i cant. when i start to test, i was using just one (the iterface that is detecting). but i need particular that the other detect too. so, what could bewrong?my snort.conf is working fine, and i he is starting on boot sniffingbothinterface. This might be a problem with pcap? I believe Snort can only listen on one interface at a time, so you may want to run two separate instances of snort. James------------------------------------------------------------------------------LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Jaime Nebrera (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Michael Altizer (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Jeremy Hoel (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)
- Re: snort with two interface Russ Combs (Dec 05)
- Re: snort with two interface Leonardo Pezente (Dec 05)
- Re: snort with two interface Lay, James (Dec 05)