[Snort-users] dual interface?
phillip_tyre at ...131...
Thu Oct 24 13:37:18 EDT 2002
Daniel, I'm new to snort, but I have been having good luck so far with the following. Maybe some of the more experienced people could give a critique of any problems the following might cause.
For 609.00 US last week you could buy a P4 2ghz dell with 512mb of ram. So I did. That didn't leave a lot of play money for nics, so in addition to the onboard 10/100 nic, I raided the supply box and came up with a handful of 3coms, all different models and vintages. I slapped 4 of them in my sensor box running 7.3 Redhat, and brought them up.
I wanted to use the onboard nic for my SQL logging/managment interface, and it always defaulted to the highest number eth4, so I configured it with an IP address, then brought up the other nics with no IP address:
ifconfig eth0 up
ifconfig eth2 up
ifconfig eth3 up
Since I was monitoring traffic outside my firewall, inside my firewall, and inside each of my DMZs I wanted to be able to configure my rules independtly, so I'm running 4 seperate instances of snort:
snort -i eth0 -U -o -d -D -c /etc/snort/snort0.conf
snort -i eth1 -U -o -d -D -c /etc/snort/snort1.conf
snort -i eth2 -U -o -d -D -c /etc/snort/snort2.conf
snort -i eth3 -U -o -d -D -c /etc/snort/snort3.conf
Processor utilization doesn't seem to be out of control, but that could be because I went the overkill route on the hardware platform.
Hope this helps, and I welcome any feedback.
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users