[Snort-users] router installation?

Jason security at ...5028...
Sun Oct 3 18:27:01 EDT 2004

There is no technical limitation to doing this, some even use 
snort-inline behind the firewall. Using a single homenet in -h is 
different than using a $HOME_NET for rules tuning. -h is for log 
directory creation and is likely not what you want. You should use a 
binary logging format like unified output and then have the logs post 
processed with something like barnyard. $HOME_NET is for easier rule 
tuning and supports multiple networks.

Once you have logging figured out you have many options on how to 
actually configure Snort. You can run multiple instances or have Snort 
monitor the virtual interface "any". If this were not a firewall then 
interface bonding might be appropriate to enable selective interface 
monitoring with a single instance of Snort.

I would suggest that if you are running on the firewall you either use a 
separate process for each interface and tune each ruleset appropriately 
or exploring running snort in inline mode.

Magnus Ternström wrote:

> Hi,
> I'm thinking about giving the pig a try on my firewalls but i need to know
> if snort supports
> running on a linux router with multiple NIC's. One has 5 networks in
> production enviroment.
> Why im asking is that all the guides tell me to specify _one_ "home net"
> with -h switch.
> Any hints and ideas are welcome.
> Kind regards,
> Magnus - Snort newbie

More information about the Snort-users mailing list