[Snort-users] Port Aggregator Tap alternatives for snort sensor

CunningPike cunningpike at ...11827...
Mon Oct 6 00:05:36 EDT 2008


Hi Paul,

We are filtering by IP range.

CP

On Sun, 2008-10-05 at 10:29 -0400, Paul Melson wrote:
> On Sat, Oct 4, 2008 at 1:14 AM, CunningPike <cunningpike at ...11827...> wrote:
> > We have a box with a 4-port NIC into two taps - we use a separate snort
> > instance for each, using bpf filters to avoid traffic duplication. Sguil
> > ties the whole thing together.
> 
> Are you using bpf filters to filter by IP src/dst or vlan id?  I'm
> interested in hearing from anyone that's using bpf filters to separate
> traffic by vlan as to how performance is, if there are any
> configuration/testing gotchas, etc.
> 
> Thanks,
> PaulM





More information about the Snort-users mailing list