[Snort-users] Multi nic host?
dr at ...381...
Thu Sep 7 15:13:52 EDT 2000
On Thu, 07 Sep 2000, you wrote:
> Hello Group
> Most likely a silly question but here goe's. Can snort support a multi nic
> machine? Lets say I have a private network 10.1.1.0 over four 24 port hubs
> all connected by one switch.. Because the switch does some routing I can
> not just plug into the switch a catch all the traffic. What if I had a
> machine with four nics, one for each hub, for example nic 1 10.1.1.11, nic
> 2 10.1.1.12 and so on.. Then set
> -h 10.1.1.0/24. Would snort analyze all the traffic on each NIC?
It wouldn't work quite the way you imagine it. One snort process associates
itself with one interface and starts err... snorting the packets on it. To
snort your four nic scenario, you would start up four snort porcesses on the
monitor, one for each nic.
If you are concerned about internet borne attacks more than local hijinks
another alternative for you may be just to use one NIC but to monitor the
upstream feed into this switch. Depending on what kind switch you have
it may also be able to configure a monitor plug/port on the switch that tries
to echo all packets from every port/plug to it.
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D
pgp key: http://www.dursec.com/drkey.asc
More information about the Snort-users