[Snort-users] deployment advice

Edin Dizdarevic edin.dizdarevic at ...7509...
Wed Sep 24 08:11:04 EDT 2003


Daniel de Young wrote:
> okay, i'm in the planning stages of a new snort box and could use 
> some feedback/suggestions.
> here is the setup (low volume network)...
> from the caswell + et al book and faq i gather the following:
> 1. in order to monitor multiple interfaces, i'll need to do one of 
> the following:
> A. run multiple instances of snort B. use a bridge interface C. use a
>  snort patch that allows me to specify "any" for interface

AFAIK if you use Linux no special patch is needed. Don't know about
other OSes. Anyway, running capturing processes (tcpdump or Snort) with
the any parameter is not a good idea.

1. All traffic will be copied to all processes - even loopback
2. The socket manpage is claiming that promiscous mode is not working
... anything else known?

man pcap:

pcap_open_live()  is used to obtain a packet capture descriptor to
look at packets on the network.  device is a string that specifies the
network device to open; on Linux systems with 2.2 or later kernels, a
device argument of "any" or NULL  can  be  used  to capture  packets
from all interfaces.  snaplen specifies the maximum number of bytes to

promisc specifies if the interface is to be put into promiscuous mode.
(Note that even if this parameter is false, the interface could well be
in  promiscuous mode  for  some  other  reason.)  For now, this doesn't
work on the "any" device; if an argument of "any" or NULL is supplied,
the promisc flag is ignored.

AFAIK if you're running several instances you'll have to set the
promiscous mode for each NIC manually. I think I've read that a few days
ago. See some older postings on that. Also some conflicts with the
PID files may occure - beware.

> 2. if i'm not running multiple instances i'll need to specify 
> something like the following:
> var HOME_NET [,,etc]
> preprocessor portscan: 5 60 /var/log/snort/portscan.log 
> preprocessor portscan-ignorehosts: etc
> my questions are:
> 1. what are your suggestions for os (no holy wars!)? normally i run 
> openbsd, but i'll need smp this time. i figure my choices are 
> solaris, netbsd, linux. i gather that my next question may have sway 
> on the answer since some methods are os dependent.

Today there has been a posting in the tcpdump mailinglist claiming that
solaris' capturing performance is excellent. I'm using Linux with the
Phill Woods libpcap in a 100Mbit Network. Having some 100 rules for
HTTP I have no packet drops. That's fine.

> 2. i'd like for each segment's data to be logged/stored separately 
> for easy analysis from the database. which method of running multi-if
>  lends itself best to this goal? would it be multiple instances?

Use barnyard and define your sensors appropriately. That shouldn't be
very difficult.

> 3. any other suggestions based on what you see?
> thanks,
> -daniel


Edin Dizdarevic

More information about the Snort-users mailing list