severity 458823 wishlist thanks > I have multiple interfaces lan0 and wlan0 (fixed and wireless) on my > computer. It's a laptop, I only use one at a time depending on where > I happen to be at the time.
This is not currently supported by Snort in Debian. > I want to be able to run snort as a simple security measure, so that it > keeps watch over either interface, whichever one happens to be running > at the time. So I configure the two, setting snort/interface as > "lan0 wlan0". That's not correct, as you've already found by yourself, since that means that Snort has to start on *both* not on one *or* the other. > However, because only one of the interfaces is activated at one time, > snort fails to process the configuration, saying for instance: Which is expected, and is so by design. > So snort does not appear to elegantly deal with a temporarily > deactivated interface. The expected behaviour would be for snort to > simply ignore (or perhaps record a warning against) a missing > interface, and then switch over to monitor that interface, once it is > later activated (perhaps some use of ifupdown's /etc/network/if-up.d/ > scripts is needed to achieve this ? ) It's actually not Snort, but Snort's init script (which is Debian specific) that provides the capability to have Snort listen on multiple interfaces. The behaviour currently is that you have to have all the interfaces available when you start Snort. I might be able to change the behaviour so that (by setting a variable such as ALLOW_UNAVAILABLE) Snort is able to start if some of the configured interfaces (at Debian's Snort's configuration file) are not available but at least one is. But that is a wishlist enhancement and I'm tagging this bug as such. What you could do, for your specific system is set Snort's default interface list to '' (i.e. empty) so that it would always succeed starting up (it has nothing to do) and then have hooks at /etc/network/if-up.d/ that would modify your /etc/default/snort contents (with the interface that is being upped) and restart Snort accordingly. Also notice that, IIRC, the Snort init.d script allows you to start/stop a specific Snort instance. If you are able to come up with a script like the one I describe above please share it, I could add it to the examples provided by Snort for other people that have a similar need. Regards Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

