OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Neil Dickey (neilgeol.niu.edu)
Date: Tue Jun 05 2001 - 09:59:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Edwin Chiu <Edwin.Chiue-wares.com> wrote:

    [ ... Snip, 'any' interface not recognized so use le0 etc ... ]

    >I'm aware of this, but I was under the impression that libpcap and/or
    >snort could listen to all interfaces with the "-i any" flag, like
    >tcpdump.

    That may well be! I was just working from what's in the man page, which
    says that '-i' requires the interface name as an argument. It wouldn't
    be the first time I've gotten into trouble reading a man page. ;-)

    Did you try specifying a particular interface to see if the problem goes
    away? ( We already know that 'any' doesn't work ... ) If Snort won't
    report anything then, maybe there's a problem with your build. If 'any'
    should work and doesn't then there's obviously a bug somewhere, but I
    wouldn't be able to help you with that.

    Finally, this from the FAQ:

    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
    Q: How can I run snort on multiple interfaces simultaneously.

    A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
        the only way is to run multiple instances of snort, one instance per
        interface. However for linux 2.1.x/2.2.x and higher you can use libpcap
        library with S. Krahmer's patch which allows you to specify 'any' as interface
        name. In this case snort will be able to process traffic comming to all
        interfaces.
    --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--

    Apparently under specific conditions linux users, and linux users only, *can*
    specify 'any' as an interface. Are you using libpcap with S. Krahmer's patch?

    Best regards,

    Neil Dickey, Ph.D.
    Research Associate/Sysop
    Geology Department
    Northern Illinois University
    DeKalb, Illinois
    60115

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users