Snort to log all interfaces

Hello,

Just wondering if someone can assist.  

I have snort on ubuntu and just wondering how I would set snort to log all Interaces?  Is it turn on by default?  I turn three interfaces on in promiscious mode.  The other one is a management interface.

Thanks,

yackko
LVL 1
yackkoAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You should be able to run -i any
snort -i any not host ip.ip.ip.ip -c/usr/local/snort/etc/snort.conf -l/usr/local/snort/log
replace ip.ip.ip.ip with the IP'd interface ip.
you can bond too: http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
but I think running multiple instances is good too if your box is multi-cpu as snort is single threaded anyway...
-rich
0
 
PowerITCommented:
You will need to have more than one copy of snort.conf and rules. Then run multiple instances of Snort, each one running on a different interface.

kr, J.
0
 
yackkoAuthor Commented:
Thanks for the reply PowerIT.  So in saying, I will have to make a copy of the Snort folder, naming it Snort1, Snort2, Snort3, then create init.d entry for each to start when the machine is rebooted.  So will barnyard be able to unify all three of them?  I have barnyard on the first Snort.

Thanks,

yackko
0
 
PowerITCommented:
Barnyard can do this, when you specify a specific PID for each Snort instance running.

kr, J.
0
 
yackkoAuthor Commented:
Sorry.  I'm not that well verse in the PID portion of Linux.  So will this be the init.d in which I create a .conf file and place it in the init.d?  /etc/snort/snort1.conf, /etc/snort/snort2.conf, /etc/snort/snort3.conf and then place it into the init.d to run at boot up?

Thanks,

yackko
0
All Courses

From novice to tech pro — start learning today.