[Snort-sigs] multiple interfaces

Matthew Watchinski mwatchinski at ...435...
Thu May 20 06:51:02 EDT 2004


bonding works just fine for smashing multiple interfaces together.  But use with 
caution depending exactly what you want to do.  If you want to monitor multiple 
interfaces with different policies ie different snort.confs or variables it's 
bested to use multiple instances of snort.  If you just want to smash everything 
together then bonding is the way to go.  You can also uses taps or spans/mirror 
ports to accomplish the same goals.

Cheers,
-matt

Javier Fernandez-Sanguino wrote:
> Kimberly Ho wrote:
> 
>> Hey all,
>>
>> I've been trying to see if there was a way around snort 2.1.2, and why 
>> it does not support multiple interfaces.   Snort 2.1.0 does however. 
>> But in any case, is there a way to specify multiple interfaces, or 
>> even negate one interface out of 10. We tried to modify the snort.conf 
>> file and specified the interface to look for, but it did not like 
>> that.  Tried generally most things that are available online.  Any ideas?
> 
> 
> I've usually done this with different snort instances, i.e. init.d 
> scripts that run different snort configurations with different -i 
> values. That provides a way to have different rule sets for the 
> interfaces (since they will listen on different networks, with different 
> traffic)
> 
> One thing that _might_ work, but I haven't tested myself, is to do link 
> aggregation using logical interfaces bonding [1] and enslave different 
> interfaces to it, then setup a single snort instance attached to the 
> bond interface. If anyone tests this I would like to hear what the 
> results are...
> 
> Regards
> 
> Javier
> 
> 
> [1] See the "Guide to IP Layer Network Administration with Linux", more 
> specifically: http://linux-ip.net/html/ether-bonding.html
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list