[Snort-users] Two Ethernet Interfaces?

Security Admin SecurityAdmin at ...7235...
Tue Nov 5 06:40:10 EST 2002


Hi Mike, I run all my sensors with dual nics, but there would not be an
issue with a single nic. I use dual nics for security reasons. All logging
to my database and my access for management and maintenance is done through
1 nic, the second nic runs in promiscuous mode and does the logging. The
promiscuous mode nic has no stack (no ip address), and attaches to the
monitored net using a one ay cable. I am also monitoring 10mbit pipes with
my sensors and have no performance issues.
Snort runs in promiscuous mode when you start it, as far as I know that
isn't an option.

Cheers,
Wayne
http://www.inetsecurity.info

-----Original Message-----
From: Mike Koponick [mailto:mike at ...7385...] 
Sent: Monday, November 04, 2002 3:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Two Ethernet Interfaces?

I was wondering if it was absolutely necessary to have TWO ethernet
interfaces for the Snort sensor? Is this done for security or performance
issues? I would think that if you had one interface it would work fine if
there wasn't a lot of traffic. However, I would like to run in promisc mode,
as I could "catch" more traffic that way, so I would assume if you wanted to
run in promisc mode you would have to have two ethernet interfaces, true?

Thanks in advance for you help.

Mike



-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list