Snort mailing list archives

RE: Multihomed Sensor

From: "mailing-list" <mailing-list () hcch com>
Date: Sat, 31 Jan 2004 18:14:21 -0600

Thanks for all the replies.  I now have snort running using 4 different
conf files on 4 different NICs.  

 

However, I am running nessus against 1 of those subnets to check and
ACID is not showing anything.  

 

snort -U -i eth1 -d -D -l /var/log/snort.eth1 -c
/etc/snort.eth1/snort.conf

 

output database: log, mysql, dbname=snort user=snort host=localhost
port=3306 password=snort sensor_name=eth1

 

When I run snort -v -I eth1 -c /etc/snort.eth1/snort.conf all I get are
a bunch of broadcasts.

 

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of DeBerry,
Casey
Sent: Wednesday, January 28, 2004 8:34 AM
To: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Multihomed Sensor

 

Configure each individual network card as you would a promiscuous
sniffer..

 

ala `ifconfig ethx promisc up`

(Assuming linux here)

 

Then, for each different instance, you need to create a  startup script.
I usually put things in /etc/init.d and link to relevant rc.  Best thing
to do is check in the "contrib" source directory for the S99snort
script.  For each interface, create a copy of the script.. ie:

S99snort-eth0

S99snort-eth1

S99snort-eth2

 

etc..

 

Just open each script and change the IFACE=ethx to match your interface.
You can also specify differenct conf files in there for each instance if
you so desire.

 

Cheers,

Casey

        -----Original Message-----
        From: mailing-list
[mailto:IMCEAEX-_O=HCC+20INSURANCE+20HOLDINGS+2C+20INC+2E_OU=HCC-HOUSTON
_CN=RECIPIENTS_CN=MAILING-LIST () USSIC com]
        Sent: Saturday, January 24, 2004 12:13 AM
        To: 'snort-users () lists sourceforge net'
        Subject: [Snort-users] Multihomed Sensor

        I currently have a Linux box with 4 NICs.  How do I configure it
so that I can monitor each NIC separately with its own conf file?  I
have different subnets that I want to monitor. 

        Thanks in Advance!

Current thread:

Multihomed Sensor mailing-list (Jan 27)
- <Possible follow-ups>
- RE: Multihomed Sensor Kreimendahl, Chad J (Jan 28)
- RE: Multihomed Sensor Dean Davis (Jan 28)
- RE: Multihomed Sensor Kreimendahl, Chad J (Jan 28)
- RE: Multihomed Sensor DeBerry, Casey (Jan 28)
- RE: Multihomed Sensor mailing-list (Jan 31)