[Snort-users] dual interface?

Phillip Tyre phillip_tyre at ...131...
Thu Oct 24 13:37:18 EDT 2002

Daniel, I'm new to snort, but I have been having good luck so far with the following. Maybe some of the more experienced people could give a critique of any problems the following might cause.

For 609.00 US last week you could buy a P4 2ghz dell with 512mb of ram. So I did. That didn't leave a lot of play money for nics, so in addition to the onboard 10/100 nic, I raided the supply box and came up with a handful of 3coms, all different models and vintages. I slapped 4 of them in my sensor box running 7.3 Redhat, and brought them up.

I wanted to use the onboard nic for my SQL logging/managment interface, and it always defaulted to the highest number eth4, so I configured it with an IP address, then brought up the other nics with no IP address:

ifconfig eth0 up
ifconfig eth1up
ifconfig eth2 up
ifconfig eth3 up

Since I was monitoring traffic outside my firewall, inside my firewall, and inside each of my DMZs I wanted to be able to configure my rules independtly, so I'm running 4 seperate instances of snort:

snort -i eth0 -U -o -d -D -c /etc/snort/snort0.conf
snort -i eth1 -U -o -d -D -c /etc/snort/snort1.conf
snort -i eth2 -U -o -d -D -c /etc/snort/snort2.conf
snort -i eth3 -U -o -d -D -c /etc/snort/snort3.conf

Processor utilization doesn't seem to be out of control, but that could be because I went the overkill route on the hardware platform. 

Hope this helps, and I welcome any feedback.

Phillip Tyre


Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021024/1912e4fb/attachment.html>

More information about the Snort-users mailing list