[Snort-users] snort and network tap
michael.boman at ...4162...
Wed Oct 16 10:30:04 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 17 October 2002 01:06, Peter Erickson wrote:
> I am in the process of attaching snort to a network and am not too sure on
> how to attach it with the network tap that I have. I have the Finisar UTP
> IL/1. I have been told to connect the 2 tap ports on the Network Tap to a
> hub and then connect the snort machine to the hub, but after reading some
> articles on the Snort-Users archive, I heard that I wil lose too many
> packets due to collisions and that this would not be a good choice. I also
> read on the snort FAQ that I can not run 1 instance of snort to monitor 2
> interfaces, so I guess that is not too good of an options either. I am just
> wondering what the best way to connect my snort machine to the network
> using the network tap that I have. Thanks in advance.
If you are running Linux I recommend you to investigate the 'channel bonding'
features in the kernel. I don't know how other OS do the same thing. One
alternative is to use '-i any' or run two instances of snort. Best way is to
combine them with channel bonding thought.
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users