[Snort-users] router installation?
Jason.Haar at ...294...
Mon Oct 4 08:33:36 EDT 2004
> Once you have logging figured out you have many options on how to
> actually configure Snort. You can run multiple instances or have Snort
> monitor the virtual interface "any". If this were not a firewall then
> interface bonding might be appropriate to enable selective interface
> monitoring with a single instance of Snort.
I don't think bonding "disables" using the "raw" Ethernet cards at the
same time(?). That could indeed be a usable option (depending on load of
course). Bond all the Ethernet cards as "bond0" and monitor that with
snort whilst the firewall part carries on doing it's job with the "raw"
I would suggest specifically installing firewall rules disabling any
OUT/FORWARD traffic to bond0 - just to be on the safe side...
More information about the Snort-users