Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] snort with two interface
1,027 views
Skip to first unread message
Leonardo Pezente
Dec 5, 2012, 10:52:08 AM12/5/12
to
i have the snort in the border of a network, and how this topic shows, it has two interface. i have put the HOME_NET equal to the ip of the both interfaces.
the think is: in one of them i can detect attacks, but in the other i cant.
when i start to test, i was using just one (the iterface that is detecting).
but i need particular that the other detect too. so, what could be wrong?
my snort.conf is working fine, and i he is starting on boot sniffing both interface.
This might be a problem with pcap?
Lay, James
Dec 5, 2012, 10:58:59 AM12/5/12
to
I believe Snort can only listen on one interface at a time, so you may want to run two separate instances of snort.
James
Leonardo Pezente
Dec 5, 2012, 11:11:06 AM12/5/12
to
yeah yuo were right, i just can run one interface per instance of snort i run.
thanks James
2012/12/5 Lay, James <jame...@wincofoods.com>
Jaime Nebrera
Dec 5, 2012, 11:16:55 AM12/5/12
to
Hi Leonardo,
This is not fully right. With proper patching Snort can read from multiple interfaces within the same instance. This is BTW, what we have done in redBorder project
This is not fully right. With proper patching Snort can read from multiple interfaces within the same instance. This is BTW, what we have done in redBorder project
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d_______________________________________________ Snort-users mailing list Snort...@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeremy Hoel
Dec 5, 2012, 11:53:32 AM12/5/12
to
And without patching, you could bond the two interfaces together and
listen on the bonded interface. The only downside of both of those
options is not knowing what NIC saw the bad traffic.. you could go of
IP of course, if that makes sense for your network design.
listen on the bonded interface. The only downside of both of those
options is not knowing what NIC saw the bad traffic.. you could go of
IP of course, if that makes sense for your network design.
Michael Altizer
Dec 5, 2012, 12:52:01 PM12/5/12
to
Alternatively, you could just use the AFPacket DAQ module to listen on
multiple interfaces. Just make sure you don't put Snort in inline mode
or it will bridge them.
multiple interfaces. Just make sure you don't put Snort in inline mode
or it will bridge them.
Jeremy Hoel
Dec 5, 2012, 1:08:09 PM12/5/12
to
Didn't know that. nice. I haven't played with the DAQ's much or
looked at the differences and options. Very cool.
How would you report that interface that it came on for by2?
looked at the differences and options. Very cool.
How would you report that interface that it came on for by2?
Leonardo Pezente
Dec 5, 2012, 1:11:19 PM12/5/12
to
Jeremy, when u say "listen on the bonded interface" u means some think like that: snort -c .. -i eth0:eth1 ... ? because i have tried that, and it didnt work.
i like the idea of the afpacket, i didnt know u could use it in the ids mode, usually people use it on snort inline.
2012/12/5 Michael Altizer <malt...@sourcefire.com>
Jeremy Hoel
Dec 5, 2012, 1:26:10 PM12/5/12
to
No, you define a bonded interface up front (bond0) and then use that
bonded interface as the name '-i bond0'
in your network.interfaces file, it looks like kind of this (debian based):
auto bond0
iface bond0 inet manual
bond-slaves none
bond-mode 0
bond-miimon 100
up ifconfig bond0 promisc up
auto eth1
iface eth1 inet manual
up ifconfig eth1 promisc up
bond-master bond0
bond-primary eth1 eth2
auto eth2
iface eth2 inet manual
up ifconfig eth2 promisc up
bond-master bond0
bond-primary eth1 eth2
bonded interface as the name '-i bond0'
in your network.interfaces file, it looks like kind of this (debian based):
auto bond0
iface bond0 inet manual
bond-slaves none
bond-mode 0
bond-miimon 100
up ifconfig bond0 promisc up
auto eth1
iface eth1 inet manual
up ifconfig eth1 promisc up
bond-master bond0
bond-primary eth1 eth2
auto eth2
iface eth2 inet manual
up ifconfig eth2 promisc up
bond-master bond0
bond-primary eth1 eth2
Lay, James
Dec 5, 2012, 3:05:51 PM12/5/12
to
-----Original Message-----
From: Michael Altizer [mailto:malt...@sourcefire.com]
Sent: Wednesday, December 05, 2012 10:52 AM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] snort with two interface
Alternatively, you could just use the AFPacket DAQ module to listen on
multiple interfaces. Just make sure you don't put Snort in inline mode
or it will bridge them.
Russ Combs
Dec 5, 2012, 3:20:10 PM12/5/12
to
On Wed, Dec 5, 2012 at 3:05 PM, Lay, James <jame...@wincofoods.com> wrote:
-----Original Message-----
From: Michael Altizer [mailto:malt...@sourcefire.com]
Sent: Wednesday, December 05, 2012 10:52 AM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] snort with two interfaceAny examples of this? I'd like to give this a go. Thanks Michael.
Alternatively, you could just use the AFPacket DAQ module to listen on
multiple interfaces. Just make sure you don't put Snort in inline mode
or it will bridge them.
Check out the README in the DAQ tarball.
0 new messages