[Snort-users] Snort 3, IDS mode, Monitor Multiple Interface At Same Time

Michael Altizer mialtize at cisco.com
Mon Jun 25 10:56:16 EDT 2018


Snort3 will not natively aggregate packets from packet sources.  You 
need a DAQ module that will do so for you and present it to Snort as a 
single stream of packets. If you specify -i N times, you will need N 
packet threads (-z N) to process all of the packets.  On Linux systems, 
you can use AFPacket (--daq afpacket) to listen on multiple interfaces 
at one time.  If you run it in passive mode, it takes a colon-separated 
list of interface names as its input specification (for example: -i 
VLAN10:VLAN20:VLAN30:...) and will open the socket/create an RX ring for 
each and round robin over them when looking for packets. There is a 
fairly arbitrary limit of 32 interfaces that I threw on the AFPacket DAQ 
module and I've never tested with anything close to that, but it should 
work with the caveats that there will be some latency penalty for each 
interface added (not a problem if you're passive rather than inline) and 
the total packet buffer memory (default = 128mb) will be divided evenly 
across all of the interfaces in the set.  So, to monitor 50 
subinterfaces, your minimum config would be to run two packet threads 
with AFPacket configured to listen on 25 subinterfaces in each (-d 
afpacket -i VLAN1:...:VLAN25 -i VLAN26:...:VLAN50 -z2).

Alternatively, have you considered doing policy by VLAN internally in 
Snort (binder 'when' statements using VLAN criteria) and having it sniff 
the aggregated, tagged traffic like Al suggested?

On 06/22/2018 10:28 AM, Moojit wrote:
> Yes I can, but I would prefer to bind to separate VLAN tags
>
>
> On 6/22/2018 8:30 AM, Al Lewis (allewi) wrote:
>> Hello,
>>
>>     Can you span the traffic to a single interface?
>>
>> Albert Lewis
>> ENGINEER.SOFTWARE ENGINEERING
>> Cisco Systems Inc.
>> Email: allewi at cisco.com
>>   On 6/22/18, 9:29 AM, "Snort-users on behalf of Moojit" 
>> <snort-users-bounces at lists.snort.org on behalf of moojit at moojit.net> 
>> wrote:
>>
>>      Hello,
>>           I have a question on using the -i switch.
>>           I have approximately 50 subnets to monitor, is it possible 
>> to enter a
>>      range of interfaces instead of the individual -i?
>>      _______________________________________________
>>      Snort-users mailing list
>>      Snort-users at lists.snort.org
>>      Go to this URL to change user options or unsubscribe:
>>      https://lists.snort.org/mailman/listinfo/snort-users
>>           Please visit http://blog.snort.org to stay current on all 
>> the latest Snort news!
>>           Please follow these rules: 
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
> Please follow these rules: 
> https://snort.org/faq/what-is-the-mailing-list-etiquette




More information about the Snort-users mailing list