You want to monitor more than one network interface.
Use more than one instance of Snort, each monitoring a separate interface.
Combine your NICs into a single "bridged" unit.
It is perfectly possible to run more than one instance of Snort. Using this method, you just assign a separate Snort process to watch each interface that you are interested in, each with its own configuration file.
The bridging option was primarily developed as a method to allow a Linux machine to act as a bridge between networks. It allows two network cards to be aggregated into a single entity. Before progressing down this route, consider reading the documentation available on the Sourceforge home page for the project, available here: http://bridge.sourceforge.net.
Assuming that bridging is built into your kernel, this is how you would go about implementing it. First, clear the IP addresses on the interfaces you are trying to bridge (you can use more than two):
[root@frodo root]# ifconfig eth0 0.0.0.0 [root@frodo root]# ifconfig eth1 0.0.0.0
Use the bridging commands to create a bridge container:
[root@frodo root]# brctl addbr snort_bridge
Add the interfaces to the container:
[root@frodo root]# brctl addif snort_bridge eth0 [root@frodo root]# brctl addif snort_bridge eth1
Then bring the bridge online:
[root@frodo root]# ifconfig snort_bridge up
To make use of the bridge, include it as the interface argument to Snort:
[root@frodo root]# snort -v -i snort_bridge Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface snort_bridge
The options that you use really depend on the reasons for needing more than one port. If you are listening to more than one range of IP addresses, it makes sense to run an instance per IP range. However, if you are tapping a full duplex link or a link that is faster than the network cards (gigabit tapping with 100 MB cards, for example), using bridged networking is a better option.
Koziol, Jack. "Appendix A: Troubleshooting." In Intrusion Detection with Snort. Indianapolis, IN: Sams, 2003.
Invisibly Tapping a Hub
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance