[Snort-users] router installation?
security at ...5028...
Sun Oct 3 18:27:01 EDT 2004
There is no technical limitation to doing this, some even use
snort-inline behind the firewall. Using a single homenet in -h is
different than using a $HOME_NET for rules tuning. -h is for log
directory creation and is likely not what you want. You should use a
binary logging format like unified output and then have the logs post
processed with something like barnyard. $HOME_NET is for easier rule
tuning and supports multiple networks.
Once you have logging figured out you have many options on how to
actually configure Snort. You can run multiple instances or have Snort
monitor the virtual interface "any". If this were not a firewall then
interface bonding might be appropriate to enable selective interface
monitoring with a single instance of Snort.
I would suggest that if you are running on the firewall you either use a
separate process for each interface and tune each ruleset appropriately
or exploring running snort in inline mode.
Magnus Ternström wrote:
> I'm thinking about giving the pig a try on my firewalls but i need to know
> if snort supports
> running on a linux router with multiple NIC's. One has 5 networks in
> production enviroment.
> Why im asking is that all the guides tell me to specify _one_ "home net"
> with -h switch.
> Any hints and ideas are welcome.
> Kind regards,
> Magnus - Snort newbie
More information about the Snort-users