[Snort-users] router installation?
security at ...5028...
Mon Oct 4 10:20:53 EDT 2004
Jason Haar wrote:
> Jason wrote:
>> Once you have logging figured out you have many options on how to
>> actually configure Snort. You can run multiple instances or have Snort
>> monitor the virtual interface "any". If this were not a firewall then
>> interface bonding might be appropriate to enable selective interface
>> monitoring with a single instance of Snort.
> I don't think bonding "disables" using the "raw" Ethernet cards at the
> same time(?). That could indeed be a usable option (depending on load of
> course). Bond all the Ethernet cards as "bond0" and monitor that with
> snort whilst the firewall part carries on doing it's job with the "raw"
> eth* interfaces.
> I would suggest specifically installing firewall rules disabling any
> OUT/FORWARD traffic to bond0 - just to be on the safe side...
My fear is that the bonding could end up mixing the traffic and allow
bypass of the firewall. I have not seen or done any testing to validate
if it is an issue or not and I have no knowledge of how interface
bonding is implemented however I suspect it is to support multiple nics
at a single address for more throughput. If this is the case then I
would certainly not attempt to intermix them on a firewall. I shy away
from doing it because of these unanswered questions. This being a
firewall I would want to minimize the opportunity for bypass and stick
with separate instances.
More information about the Snort-users