[Snort-users] Multiple snort processes and multiple databases

Rhugga snort-list at ...12135...
Sat Jul 17 11:25:04 EDT 2004


I just built a snort box for monitoring traffic on our internal network. 
I also want to use this same system to monitor traffic on the same 
network as our border router and firewalls. (the point where our network 
traffic is routed onto our T-1 circuits)

I want to take a 2nd interface on this machine and place it on the same 
switch as our router and firewalls. I do not want this interface to have 
an IP address (nor do I want to use a static arp entry anywhere) I then 
want snort to monitor this interface but use a seperate database than it 
is using for the internal traffic.

Just a few questions:

1) Is this config possible? I thought I had read something about this in 
the docs somewhere but now I can't find it
2) Could the fact that this system has interfaces on inside and outside 
nets be a security risk even though the outside interface has no IP 
address? (since there is an obvious firewall bypass point) The switch 
that the router/firewalls are connected to is physically secure and goes 
directly to our T-1 circuits. The router and firewalls are 100 mb full 
duplex on the external network, everything else in our data center is 
gigabit with the exception of our linux cluster. (although the switches 
for our linux cluster are tagged into trunked gigabit ports on a larger 
switch)

Thx for any info,
Rhugga









More information about the Snort-users mailing list