[Snort-users] snort and network tap

Michael Boman michael.boman at ...4162...
Wed Oct 16 10:30:04 EDT 2002

Hash: SHA1

On Thursday 17 October 2002 01:06, Peter Erickson wrote:
> I am in the process of attaching snort to a network and am not too sure on
> how to attach it with the network tap that I have. I have the Finisar UTP
> IL/1. I have been told to connect the 2 tap ports on the Network Tap to a
> hub and then connect the snort machine to the hub, but after reading some
> articles on the Snort-Users archive, I heard that I wil lose too many
> packets due to collisions and that this would not be a good choice. I also
> read on the snort FAQ that I can not run 1 instance of snort to monitor 2
> interfaces, so I guess that is not too good of an options either. I am just
> wondering what the best way to connect my snort machine to the network
> using the network tap that I have. Thanks in advance.

If you are running Linux I recommend you to investigate the 'channel bonding' 
features in the kernel. I don't know how other OS do the same thing. One 
alternative is to use '-i any' or run two instances of snort. Best way is to 
combine them with channel bonding thought.

Best regards
 Michael Boman

- -- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list