Can snort ignore eth0 when monitoring "any" interface?

[Jason Haar <Jason.Haar () trimble co nz>]

I'm wanting to setup Snort so that eth0 is the admin interface connected to
the LAN, and eth1 and eth2 point to separate DMZs to monitor.

However, telling Snort to monitor "any" interface works too well. I'm now
catching all the cr*p NetBIOS traffic on our LAN via snort too - which I
don't want to do...

Now I know I can run two instances of snort instead, but I was wondering if
a "![lo,eth0]" might be a future config option... Or is there some other way
of achieving the same effect?

[I guess this is actually a pcap issue...]

Redhat 7.1 with snort-1.8.3

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users