snort on multiple interfaces
Tom Judge
tom at tomjudge.com
Wed Oct 28 14:48:28 UTC 2009
Andrea Venturoli wrote:
> Some years ago, I checked to see whether I would be able to let a
> single snort process listen on more than one NIC.
> At the time it was only possible in Linux.
>
> Now, I searched a bit, but nothing new came up.
>
> Did anything improve since then? Do we still need multiple snort
> processes to listen on more than one interface?
> Can some netgraph node help with this?
>
You can do this using if_bridge in monitor mode like so:
{/etc/rc.conf}
## DMZ Span Port
cloned_interfaces="bridge0"
ifconfig_fxp0="up promisc"
ifconfig_fxp1="up promisc"
ifconfig_bridge0="addm fxp0 addm fxp1 monitor up"
And then have you snort process run on bridge0.
Tom
More information about the freebsd-net
mailing list