[Snort-sigs] multiple interfaces

Javier Fernandez-Sanguino jfernandez at ...2106...
Fri May 21 02:47:52 EDT 2004


Matthew Watchinski wrote:

> bonding works just fine for smashing multiple interfaces together.  But 
> use with caution depending exactly what you want to do.  If you want to 

Oh good. I just took a wild shot :-)

> monitor multiple interfaces with different policies ie different 
> snort.confs or variables it's bested to use multiple instances of 
> snort.  

Absolutely (even if it's worst on system resources)

> If you just want to smash everything together then bonding is 
> the way to go.  You can also uses taps or spans/mirror ports to 
> accomplish the same goals.
> 

Not _exactly_ the same, since you won't be able to retaliate (inject 
again traffic to, for example, send RST to connections) if you are 
using a tap or a spam/mirror. They are, after all, a "one way" 
connection. As an advantage, the IDS would not be as exposed if using 
tags vs bonding (since even if it's compromised it cannot reinject 
data to the network).

Regards

Javier




More information about the Snort-sigs mailing list