| View previous topic :: View next topic |
| Author |
Message |
mrfree
Veteran
Joined: 15 Mar 2003
Posts: 1303
Location: Europe.Italy.Sulmona
|
 Posted: Sun May 08, 2005 2:51 pm Post subject: snort on multiple interface |
 |
|
I have 4 network interface on my home-server and I want snort sniffs only 2 of them
| Code: | # Config file for /etc/init.d/snort
# This tell snort which interface to listen on (any for every interface)
IFACE=eth0
[...] |
using any as IFACE value snort examines all 4 interface...
must I use 2 distinct instaces of snort?
_________________
Please EU, pimp my country!
ICE: /etc/init.d/iptables panic |
|
| Back to top |
|
 |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Sun May 08, 2005 4:57 pm Post subject: |
|
|
I'm wondering if you can set it to listen on 'all' interfaces in (/etc/conf.d/snort), but then configure it via /etc/snort/snort.conf to pay attention to the interfaces you want.
| Code: |
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.
var HOME_NET [$eth0_ADDRESS,$eth1_ADDRESS] |
I just tried this.. but it doesn't look like it works too hot.. but wanted to post it just in case I missed something stupid.
Another option is to configure your HOME_NET with just the IPs of the two interfaces you want...
| Code: | | var HOME_NET [192.168.0.0/24, 10.0.0.0/24] |
HTH
hanji |
|
| Back to top |
|
|
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
| Posted: Sun May 08, 2005 5:03 pm Post subject: |
|
|
snort is not designed to be HOST based IDS.
it Net based ids.
it should have seperate machine on the door of the network.
like this:
-------snort machine -----------router ---------- server-----(network)
it should be like spy... only listen and invisble |
|
| Back to top |
|
|
capitanjackal
n00b
Joined: 26 Aug 2003
Posts: 69
Location: Quarata (CALIFORNIA)
|
| Posted: Wed Mar 29, 2006 12:51 pm Post subject: Re: snort on multiple interface |
|
|
| mrfree wrote: | I have 4 network interface on my home-server and I want snort sniffs only 2 of them
| Code: | # Config file for /etc/init.d/snort
# This tell snort which interface to listen on (any for every interface)
IFACE=eth0
[...] |
using any as IFACE value snort examines all 4 interface...
must I use 2 distinct instaces of snort? |
with IFACE=any I can't reach to make snort working
It starts but the interfaces don't go in promiscuos.
In the snort FAQ they talk about a patch
http://www.snort.org/docs/faq/1Q05/node35.html
I need to make work snort in both interfaces, one in the lan side and the other in the wan side,
any idea ?
thanks
Giacomo
_________________
Meglio una Fiat 500 con 500 watts che una Fiat Punto con punti watts!
PS: ho comprato la punto! sono un l00s3r |
|
| Back to top |
|
|
|
Networking & Security
