bet at ...6163...
Mon Jun 16 07:00:28 EDT 2003
2003-06-16T08:30:47 Poppi, Sandro:
> I've been using linux' "channel bonding" feature with [ to
> aggregate traffic from multiple NICs into a single snort ]
> Worked without probs (as far as I remember ;)
No problems, but a couple of warnings.
(1) Unless you're using a very recent (not yet integrated into any
standard kernel dist as far as I know) bonding driver, you
_must_ ifconfig the bond0 interface promisc before you
ifenslave --- until very recently, the bonding driver doesn't
propogate promisc mode down to the enslaved interfaces except at
ifenslave time; snort's setting the interface promisc won't
(2) When you ifenslave unnumbered interfaces, ifenslave howls, all
sorts of warnings about its inability to propogate addresses
back and forth. These can be safely ignored, it works fine.
The above caveats notwithstanding, this setup works great, I don't
know a better way to aggregate traffic from multiple NICs into one
snort --- on Linux. This is very very low overhead, and simple.
Other platforms will of course need other solutions. I don't know
what's the recommended approach with OpenBSD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users