[Snort-users] Two Ethernet Interfaces?

Security Admin SecurityAdmin at ...7235...
Tue Nov 5 06:40:10 EST 2002

Hi Mike, I run all my sensors with dual nics, but there would not be an
issue with a single nic. I use dual nics for security reasons. All logging
to my database and my access for management and maintenance is done through
1 nic, the second nic runs in promiscuous mode and does the logging. The
promiscuous mode nic has no stack (no ip address), and attaches to the
monitored net using a one ay cable. I am also monitoring 10mbit pipes with
my sensors and have no performance issues.
Snort runs in promiscuous mode when you start it, as far as I know that
isn't an option.


-----Original Message-----
From: Mike Koponick [mailto:mike at ...7385...] 
Sent: Monday, November 04, 2002 3:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Two Ethernet Interfaces?

I was wondering if it was absolutely necessary to have TWO ethernet
interfaces for the Snort sensor? Is this done for security or performance
issues? I would think that if you had one interface it would work fine if
there wasn't a lot of traffic. However, I would like to run in promisc mode,
as I could "catch" more traffic that way, so I would assume if you wanted to
run in promisc mode you would have to have two ethernet interfaces, true?

Thanks in advance for you help.


This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list