[Snort-users] Port Aggregator Tap alternatives for snort sensor

CunningPike cunningpike at ...11827...
Sat Oct 4 01:14:15 EDT 2008


We have a box with a 4-port NIC into two taps - we use a separate snort
instance for each, using bpf filters to avoid traffic duplication. Sguil
ties the whole thing together.

CP

On Thu, 2008-10-02 at 10:09 -0400, Stephen Reese wrote:
> > Sounds like an excellent case for the use of BPF filters and multiple
> > instances of snort.
> >
> > instance 1 - snort <params> net 10.0.0./8
> > instance 2 - snort <params> not net 10.0.0./8
> >
> > This way you will make SURE that anything the first instance doesn't
> > grab the second one will.
> >
> >> I can use the same sensor but then all of the traffic would also be
> >>  piled into one database and/or alerts.
> >
> > Regarding the database, you can use the sensor_id (not sure if that is
> > exactly right) parameter of the output database plug-in to identify
> > which instance of snort logged each alert in BASE or whatever you are
> > using.
> 
> Is anyone have a configuration using multiple network taps and one box
> for snort?
> 
> ---internet----> TAP ---router---> TAP ----network cloud---
> 
> I'm planning on using the following configuration:
> 
> var HOME_NET [68.156.63.111,172.16.2.0/24]
> var EXTERNAL_NET !$HOME_NET
> 
> The 68.x.x.x is my external IP where there is a sensor so I can see
> all of the traffic coming in. The 172.x.x.x is for my internal network
> where there will be a sensor placed after the router. Is this the
> proper way to do this using one snort process or should I use two
> snort processes with separate config files?
> 
> Thanks
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list