[Snort-users] Port Aggregator Tap alternatives for snort sensor

Paul Melson pmelson at ...11827...
Sun Oct 5 10:29:20 EDT 2008


On Sat, Oct 4, 2008 at 1:14 AM, CunningPike <cunningpike at ...11827...> wrote:
> We have a box with a 4-port NIC into two taps - we use a separate snort
> instance for each, using bpf filters to avoid traffic duplication. Sguil
> ties the whole thing together.

Are you using bpf filters to filter by IP src/dst or vlan id?  I'm
interested in hearing from anyone that's using bpf filters to separate
traffic by vlan as to how performance is, if there are any
configuration/testing gotchas, etc.

Thanks,
PaulM




More information about the Snort-users mailing list