Snort mailing list archives
RE: Multiple sensors/interfaces, same daemon
From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 1 Jul 2004 13:24:32 -0500
You could use bonded interfaces. If your kernel does not have support compiled into it for bonded interfaces (Network Device Support\Bonding Driver Support) then you will have to compile your own kernel and then compile the ifenslave source (<kernel_source_directory\Documentation\networking\ifenslave.c). Then you can use ifenslave to bond the interfaces together with: /sbin/ifconfig eth0 promisc up /sbin/ifconfig eth1 promisc up /sbin/ifconfig bond0 promisc up <wherever_your_ifenslave_binary_is>/ifenslave bond0 eth0 <wherever_your_ifenslave_binary_is>/ifenslave bond0 eth1 Then run snort with -i bond0. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sergio Caltagirone Sent: Thursday, July 01, 2004 1:00 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Multiple sensors/interfaces, same daemon Hey all, how do i configure a single snort daemon to act as a sensor on two interfaces? When I try '-i any' i pick up alot of traffic from 127.0.0.1 - which I'm guessing is the loopback; however, I get none from eth1 and just fine from eth0. Also, with 2 interfaces, how should the $HOME_NET and $EXTERNAL_NET be set? Thanks, Sergio ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple sensors/interfaces, same daemon Sergio Caltagirone (Jul 01)
- <Possible follow-ups>
- RE: Multiple sensors/interfaces, same daemon Joshua Berry (Jul 01)
- RE: Multiple sensors/interfaces, same daemon Murray, Todd (Jul 02)