[Snort-users] Port Aggregator Tap alternatives for snort sensor
cunningpike at ...11827...
Sat Oct 4 01:14:15 EDT 2008
We have a box with a 4-port NIC into two taps - we use a separate snort
instance for each, using bpf filters to avoid traffic duplication. Sguil
ties the whole thing together.
On Thu, 2008-10-02 at 10:09 -0400, Stephen Reese wrote:
> > Sounds like an excellent case for the use of BPF filters and multiple
> > instances of snort.
> > instance 1 - snort <params> net 10.0.0./8
> > instance 2 - snort <params> not net 10.0.0./8
> > This way you will make SURE that anything the first instance doesn't
> > grab the second one will.
> >> I can use the same sensor but then all of the traffic would also be
> >> piled into one database and/or alerts.
> > Regarding the database, you can use the sensor_id (not sure if that is
> > exactly right) parameter of the output database plug-in to identify
> > which instance of snort logged each alert in BASE or whatever you are
> > using.
> Is anyone have a configuration using multiple network taps and one box
> for snort?
> ---internet----> TAP ---router---> TAP ----network cloud---
> I'm planning on using the following configuration:
> var HOME_NET [188.8.131.52,172.16.2.0/24]
> var EXTERNAL_NET !$HOME_NET
> The 68.x.x.x is my external IP where there is a sensor so I can see
> all of the traffic coming in. The 172.x.x.x is for my internal network
> where there will be a sensor placed after the router. Is this the
> proper way to do this using one snort process or should I use two
> snort processes with separate config files?
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users