[Snort-users] router installation?

Jason security at ...5028...
Mon Oct 4 10:20:53 EDT 2004


Jason Haar wrote:

> Jason wrote:
> 
>> Once you have logging figured out you have many options on how to 
>> actually configure Snort. You can run multiple instances or have Snort 
>> monitor the virtual interface "any". If this were not a firewall then 
>> interface bonding might be appropriate to enable selective interface 
>> monitoring with a single instance of Snort.
> 
> 
> 
> I don't think bonding "disables" using the "raw" Ethernet cards at the 
> same time(?). That could indeed be a usable option (depending on load of 
> course). Bond all the Ethernet cards as "bond0" and monitor that with 
> snort whilst the firewall part carries on doing it's job with the "raw" 
> eth* interfaces.
> 
> I would suggest specifically installing firewall rules disabling any 
> OUT/FORWARD traffic to bond0 - just to be on the safe side...

My fear is that the bonding could end up mixing the traffic and allow 
bypass of the firewall. I have not seen or done any testing to validate 
if it is an issue or not and I have no knowledge of how interface 
bonding is implemented however I suspect it is to support multiple nics 
at a single address for more throughput. If this is the case then I 
would certainly not attempt to intermix them on a firewall. I shy away 
from doing it because of these unanswered questions. This being a 
firewall I would want to minimize the opportunity for bypass and stick 
with separate instances.






More information about the Snort-users mailing list