[Snort-users] AW: (Snort-users) Snort Sensor Multi-Homed...

sandro.poppi at ...3316... sandro.poppi at ...3316...
Sun Oct 14 23:31:03 EDT 2001


>
> For a snort sensor (multi-homed) with the primary NIC
> connected to RFC 1918
> space and the second NIC running in promisc mode without the stack
> configured, what is the best way to configure this via the
> snort.conf file.
>
> I am mostly concerned with performance. Would it be:
>
> var HOME_NET any OR var HOME_NET $<inf>_ADDRESS
>
> var EXTERNAL_NET any OR var EXTERNAL_NET $<inf>_ADDRESS
>
>
> The idea here is to have my distributed sensors deployed
> throughout various
> nets grabbing data on the promisc net and then all reporting
> back to my
> Demarc/MySQL system via 1918 and gain maximum performance and results.
>

I'm running snort with 6 NICs in one machine using eth0 for connecting to our
internal network and all other NICs without ip# for snorting, using HOME_NET
any, EXTERNAL_NET any. As always rule set needs some tweeking depending on your
network.

Remember not to run the db/ACID etc. tools on the same machine since that is a
performance issue.

So long,
Sandro





More information about the Snort-users mailing list