snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] Problem with the '-i' option

[Snort-users] Problem with the '-i' option

From: Eric S <ericseligman_at_nospam>
Date: Mon Nov 02 2009 - 09:17:57 GMT
To: <snort-users@lists.sourceforge.net>

Hello everyone,

I am having a bit of a problem getting Snort to run on different interfaces on Linux. I have a bridge setup (br0) that is bridged with eth1 (my primary physical interface connected to the network). I also have another bridge (br1) that connects a number of other virtual interfaces (mostly for VM's), such as vif1, vif2, etc. My issue is when I issue a command such as:

snort -i br1 -dev

All I see is traffic from br0. This occurs with every other interface on my system. No errors are generated, however when snort is initialized (no matter the interface specified, even if its jiberish) I see this information:

        --== Initializing Snort ==--
Initializing Output Plugins!
***

  • interface device lookup found: br0
    ***
    Initializing Network Interface br0 Decoding Ethernet on interface br0

So it seems to me that snort is ignoring my '-i' switch, and just using the first active interface, which would be br0. It would appear that there may be an issue with the interface detection script, in that it is only see "br0" as active. However, this certainly seems like a bug because A.) Network traffic flows as excepted from each of the interfaces, and B.) tcpdump -i works perfectly on all the interfaces.

So the question is, does anyone have an idea as to what is going wrong, or what I can do to remidy this issue? I've searched for hours on this issue and havent found much, so any help would be appreciated.

Thanks,

Eric                                                



New Windows 7: Find the right PC for you. http://www.microsoft.com/windows/pc-scout/default.aspx?CBID=wl&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_pcscout:112009



Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users