[Snort-users] Question about Inline mode

NA dustypath at ...5068...
Sun Dec 4 17:55:55 EST 2011

On 12/4/11 12:48 PM, Albert E. Whale wrote:
> I have been asked to develop an IDS/IPS solution which can span
> multiple zones behind a firewall.
> While I have reservations in implementing a single box to become an
> active sensor for IDS/IPS solutions on the networks.
>  In addition to believing that this is the wrong strategy to use in
> protecting internal networks (I am supposed to protect 4 internal
> networks), I am not certain of the correct configuration of the host
> server.
> In an Inline mode, are the network interfaces linked?  What network
> configuration is required for IDS/IPS or inline configuration?
Inline mode is done via a DAQ module. Inline is supported by at least
the NFQ and Afpacket DAQ modules. This is new to Snort as of the 2.9.x.x
versions. You actually need 3 interfaces as traffic goes across, for
example setting your sensor to detect across eth0:eth1 and the eth2 as
the management interface. 

> Does the inline mode require two interfaces?
> Can Snort support multiple networks, simultaneously?  Does this reduce
> the throughput capability of the monitor?
Multiple networks can be supported but of course band width is the
consideration here along with the strength of the Snort sensor. There
are better people on this list to answer than me but depending on the
size/bandwidth considerations you may want to consider using 4 sensors
that report to a main server for analysis. Like I said, others on this
list can help there as I have no experience here. Search the Google
Groups list too.
Hope this serves at least as a start to answer your questions.


