AW: [Snort-users] 3 or 4 NICs in a sensor?

Poppi, Sandro Sandro.Poppi at ...3316...
Fri Sep 27 05:30:04 EDT 2002


I ran into the same problem. I would highly recommend separating snort from
doing anything else than IDS sniffing. Even writing into a db should not be
handled by snort but by barnyard leaving snort in high speed logging using
unified format.

Just my $0.02

Ciao,
Sandro
> 
> I run three incidences of snort on one box.  I use three 
> different command
> lines to run on eth1, eth2 and eth3... Ethernet 4 is my 
> management port.  So
> I have 4 nics in the box and all runs just fine.  My only 
> problem seems to
> be when I get alot of alerts in the MySQL database cleaning 
> them up takes
> the system to 100% cpu utilized.  And Acid times out.  I am 
> beginning to
> look for possibly some other boxes to run the sensors on and 
> have 1 box just
> for the MySQL and ACID interfaces.
> 
> Mike
> 
> ----- Original Message -----
> From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
> Sent: Thursday, September 26, 2002 6:18 PM
> Subject: [Snort-users] 3 or 4 NICs in a sensor?
> 
> 
> >
> > Hello,
> >
> > I'm using Snort 1.8.7 on RHLinux7.0 on a Compaq DL360. 
> Currently it has 2
> > NICs (1 for management, one for the sniffer). My current 
> sensor is not
> > exposed to heavy traffic and I was considering adding more 
> NICs to the box
> > so I can have it monitoring other segments at the same 
> time, rather than
> > build more sensors. Is anyone out there running Snort on a 
> box with say, 4
> > NICs, where 3 of the NICs are each running their own Snort instance,
> > monitoring different network segments? If traffic is light 
> enough on each
> > segment, it seems better not to waste extra hardware and 
> build separate
> > sensors.
> >
> > I wanted to get an idea if others are doing this, is it 
> wise to do it,
> will
> > it work etc?
> >
> > Thanks!
> > Paul
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list