[Snort-users] 3 or 4 NICs in a sensor?

Erek Adams erek at ...577...
Fri Sep 27 10:20:05 EDT 2002


On Thu, 26 Sep 2002, Sheahan, Paul (PCLN-NW) wrote:

> I'm using Snort 1.8.7 on RHLinux7.0 on a Compaq DL360. Currently it has 2
> NICs (1 for management, one for the sniffer). My current sensor is not
> exposed to heavy traffic and I was considering adding more NICs to the box
> so I can have it monitoring other segments at the same time, rather than
> build more sensors. Is anyone out there running Snort on a box with say, 4
> NICs, where 3 of the NICs are each running their own Snort instance,
> monitoring different network segments? If traffic is light enough on each
> segment, it seems better not to waste extra hardware and build separate
> sensors.
>
> I wanted to get an idea if others are doing this, is it wise to do it, will
> it work etc?

Short answer:  Yes, do it.

Longer answer:  Works like a charm.  One other thing that you might want to
consider is to use a quad port card.  One slot, but 4 ports.  I'm not sure on
pricing, but the Sun QFE used to be around $1200.  I'm sure you can get one
cheaper than that.  I'm sure if you check websites you can find a good deal on
them...

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list