Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Oct 2009 14:47:33 +0000
From:      Tom Judge <tom@tomjudge.com>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        freebsd-net@freebsd.org
Subject:   Re: snort on multiple interfaces
Message-ID:  <4AE85985.5080206@tomjudge.com>
In-Reply-To: <4AE8569C.1040209@netfence.it>
References:  <4AE8569C.1040209@netfence.it>

next in thread | previous in thread | raw e-mail | index | archive | help
Andrea Venturoli wrote:
> Some years ago, I checked to see whether I would be able to let a 
> single snort process listen on more than one NIC.
> At the time it was only possible in Linux.
>
> Now, I searched a bit, but nothing new came up.
>
> Did anything improve since then? Do we still need multiple snort 
> processes to listen on more than one interface?
> Can some netgraph node help with this?
>
You can do this using if_bridge in monitor mode like so:

{/etc/rc.conf}
## DMZ Span Port
cloned_interfaces="bridge0"
ifconfig_fxp0="up promisc"
ifconfig_fxp1="up promisc"
ifconfig_bridge0="addm fxp0 addm fxp1 monitor up"

And then have you snort process run on bridge0.

Tom



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AE85985.5080206>