Hi All, I have more than one interface I need to monitor with snort. I've read http://www.snort.org/docs/faq/1Q05/node35.html, To do that, I've created bridge0 and added both interfaces. Since I need to assign IP addresses to each interface, I could not just up the interfaces and add them to the bridge. Perhaps that's the reason, but I don't see alarms triggered with -i bridge0 (snort warns that no IP is assigned to bridge0 anyways). Do I need to do anything else?
Using 0.0.0.0 or any as HOME_NET (as mentioned somewhere) doesn't help at all. Perhaps http://www.monkey.org/openbsd/archive/misc/0203/msg01194.html could be helpful, but I can't see how. I couldn't find how to create an "any" interface on OpenBSD, I would appreciate any links/comments. Otherwise, what I do is to run multiple instances of snort for each interface, which wastes my shared memory. Also, I've compiled 2.6.1.4 mysql enabled, but for some reason snort complains that it cannot connect to mysql via mysql.sock file. But on the same system I don't have any problem connecting to mysql using mysql-enabled 2.4.5 package, so I don't believe there is any problem with my mysql settings or file permissions (I cannot use 2.4.5-mysql due to timestamp problems I mentioned on another post). To make sure I'm not doing anything wrong, I've modified the ports Makefile and compiled using ports, but I have the same problem. Isn't it enough to configure snort with --with-mysql? And if the build is successful, what can be wrong? I'm sorry if I'm asking too many snort related questions. Thanks,
