[Snort-users] router installation?

Jason Haar Jason.Haar at ...294...
Mon Oct 4 08:33:36 EDT 2004


Jason wrote:

> Once you have logging figured out you have many options on how to 
> actually configure Snort. You can run multiple instances or have Snort 
> monitor the virtual interface "any". If this were not a firewall then 
> interface bonding might be appropriate to enable selective interface 
> monitoring with a single instance of Snort.


I don't think bonding "disables" using the "raw" Ethernet cards at the 
same time(?). That could indeed be a usable option (depending on load of 
course). Bond all the Ethernet cards as "bond0" and monitor that with 
snort whilst the firewall part carries on doing it's job with the "raw" 
eth* interfaces.

I would suggest specifically installing firewall rules disabling any 
OUT/FORWARD traffic to bond0 - just to be on the safe side...

Jason






More information about the Snort-users mailing list