Date: Wed, 28 Oct 2009 14:47:33 +0000 From: Tom Judge <tom@tomjudge.com> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-net@freebsd.org Subject: Re: snort on multiple interfaces Message-ID: <4AE85985.5080206@tomjudge.com> In-Reply-To: <4AE8569C.1040209@netfence.it> References: <4AE8569C.1040209@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrea Venturoli wrote:
> Some years ago, I checked to see whether I would be able to let a
> single snort process listen on more than one NIC.
> At the time it was only possible in Linux.
>
> Now, I searched a bit, but nothing new came up.
>
> Did anything improve since then? Do we still need multiple snort
> processes to listen on more than one interface?
> Can some netgraph node help with this?
>
You can do this using if_bridge in monitor mode like so:
{/etc/rc.conf}
## DMZ Span Port
cloned_interfaces="bridge0"
ifconfig_fxp0="up promisc"
ifconfig_fxp1="up promisc"
ifconfig_bridge0="addm fxp0 addm fxp1 monitor up"
And then have you snort process run on bridge0.
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AE85985.5080206>