AW: [Snort-users] 3 or 4 NICs in a sensor?

Ben Feinstein me at ...6289...
Sun Sep 29 12:55:03 EDT 2002


Hey Sandro,

I only saw problems while putting the card under heavy load for extended
periods of time.  I was using Linux 2.4.18 compiled with FreeS/WAN and
whatever version of the tulip and realtek NIC drivers were included w/ the
kernel.  One interface on the 4-port NIC was running Snort promisc, one
iface was collecting a bunch of syslogs, and another was doing Nessus
scanning.  One of the interfaces on the 4-port NIC was left unused.  I was
also using an on-board NIC w/ the realtek driver.  The on-board NIC was
running an IPSec net-to-net tunnel, with a good bit of traffic.  The host
had a fairly complex iptables policy installed, with policy defined
globally and for each interface being used.  A number of attack hosts were
running Stick and Snot attacks on the Snort monitored network.

After leaving the system up like this for some time, usually < 24 hours,
the promisc interface on the 4-port NIC would stop seeing any packets.  I
verified that this wasn't a problem with Snort by running tcpdump on the
same interface, and saw nothing.  After dropping the interface out of
promisc mode, still no packets were being seen on the iface.  Restarting
the network service (using the init.d script) would cause packets to
resume arriving on the interface.  I could not consistently reproduce the
problem, but the interface usually hung after an extended duration of
testing.

I moved to the Intel PRO/100 S Dual card using a motherboard w/ dual
on-board Intel NICs.  I'm running the e100 driver on all 4 interfaces.
Haven't seen this problem since...

So, in summary, this may not neccessaruly have been a problem with the
D-Link card itself.  Perhaps there were (are?) bugs w/ running multiple
tulip drivers under heavy load and mixing in a promisc iface?  At the time
I wasn't able to investigate the issue any further.  I changed hardware
and the problem went away, which was all I really wanted.

Cheers,
Ben

On Sat, 28 Sep 2002, Poppi, Sandro wrote:

> Ben,
>
> could you be a little more specific about the probs you've had with DLink
> DFE 570TX? I'm using it in 2 boxes and don't see any probs yet.
>
> Thanks,
> Sandro







More information about the Snort-users mailing list