[Snort-users] 4-Port NIC
Basselgia, Barry A Mr (NAF Atsugi)
BABasselgia at ...12104...
Mon Mar 7 16:02:44 EST 2005
I've just finished setting up a snort sensor with 6 network interfaces on 1
box, running SuSE 9.1.
The hardware is a Dell Precision 340 with a built in 10/100 nic.
I've added 2 Intel Pro/1000 MT Dual Port Adapters and a 3Com 3C905 10/100
I use the built in port as my management interface, it's the only one with
an IP address, snort does not monitor this interface
I use channel bonding on the Dual Port Adapters giving me interface bond0
and bond1, they are connected the netoptic 10/100 Ethernet taps. Each
interface, bond0 and bond1, has it's own instance of snort running.
I have the 3Com nic connected to a port on a Cisco switch which is
configured for network monitoring. This interface also has it's own
instance of snort.
All 3 instances of snort are using the unified binary logging. I also have
3 instances of barnyard running that feed the data via an ssh tunnel to my
mysql database on a different box.
All this is running fairly smoothly. My main problem right now is memory,
the box only has 512meg, I do on occasion have a problem were snort seems to
gets swapped out. Which obviously causes it to drop packets. This mostly
happens when I'm logged onto the box. I have more memory on order which I
think will solve that problem.
I don't know much about the Dlink Adapters. After reading some reviews and
discussion here on the mailing list, check the archives, I decided to go
with the intel multi port adapters. I believe network adapter performance
could make/break this type of configuration.
Hope that helps.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
rpiperno at ...13135...
Sent: Tuesday, March 08, 2005 12:27 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] 4-Port NIC
I am setting up snort and would like to have three sensors (running
One for the public side, one for the private side and the third for the DMZ.
will have them reporting back to a server running MySQL and Openaanval. I
considering putting in one box for the sensors using a Dlink DFE-570TX...is
this a good solution or would I be better off with three seperate boxes for
sensors? I will be using Barnyard any issues with that in this
Thanks in advance for your help!
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users