From owner-freebsd-net@FreeBSD.ORG  Wed Oct 28 14:48:27 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E3A741065670
	for <freebsd-net@freebsd.org>; Wed, 28 Oct 2009 14:48:27 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk
	[80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id A557A8FC16
	for <freebsd-net@freebsd.org>; Wed, 28 Oct 2009 14:48:27 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id B7D4348A7D;
	Wed, 28 Oct 2009 14:48:26 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk
Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1])
	by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id eaGG+uj1vKHo; Wed, 28 Oct 2009 14:48:23 +0000 (GMT)
Received: from rita.nodomain (unknown [192.168.205.6])
	by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id 6FDD848A7C;
	Wed, 28 Oct 2009 14:48:23 +0000 (GMT)
Message-ID: <4AE85985.5080206@tomjudge.com>
Date: Wed, 28 Oct 2009 14:47:33 +0000
From: Tom Judge <tom@tomjudge.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090822)
MIME-Version: 1.0
To: Andrea Venturoli <ml@netfence.it>
References: <4AE8569C.1040209@netfence.it>
In-Reply-To: <4AE8569C.1040209@netfence.it>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: snort on multiple interfaces
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 14:48:28 -0000

Andrea Venturoli wrote:
> Some years ago, I checked to see whether I would be able to let a 
> single snort process listen on more than one NIC.
> At the time it was only possible in Linux.
>
> Now, I searched a bit, but nothing new came up.
>
> Did anything improve since then? Do we still need multiple snort 
> processes to listen on more than one interface?
> Can some netgraph node help with this?
>
You can do this using if_bridge in monitor mode like so:

{/etc/rc.conf}
## DMZ Span Port
cloned_interfaces="bridge0"
ifconfig_fxp0="up promisc"
ifconfig_fxp1="up promisc"
ifconfig_bridge0="addm fxp0 addm fxp1 monitor up"

And then have you snort process run on bridge0.

Tom