AW: [Snort-users] Connecting snort bidirectionnal.

Poppi, Sandro Sandro.Poppi at ...3316...
Thu May 23 02:02:03 EDT 2002


If you're using linux (I think *bsd should have that feature too but I don't
know) you could try to recompile your kernel with channel bonding activated
which gives you one logical interface with 2+ physical interfaces. I use
that configuration when tapping to recombine streams and snort runs well.

Take a look on http://sourceforge.net/projects/bonding

HTH,
Sandro
> 
> Hello 
> 
> I have a little problem with the connection of my SNORT IDS 
> on my provider 
> :
> 
> I use the "classical" stealth connection with a tap :
> 
> Internet -------------TAP----------------Firewall
>                       |  |
>                   out |  |in
>                       |  |
>                      SNORT
> 
> The problem is : the tap gives me 2 outputs connected to 2 
> interfaces on 
> my Snort box : one for
> the outbound traffic and one for the inbound traffic.
> 
> So I use two instances of snort to monitor the in and the 
> out, but I can't 
> make "activate" rules to work
> on the answer.
> 
> As my net is full duplex, the "net-men" told me that putting a hub to 
> merge the in and out should 
> lead to collisions and loss of packets.
> 
> Any ideas ?
> 
> Patrice ARNAL
> ALCANET France
> Site d'ILLKIRCH
> 1 Route du Dr Albert SCHWEITZER
> 67408 ILLKIRCH CEDEX
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list