[Snort-users] Snort 3, IDS mode, Monitor Multiple Interface At Same Time
mialtize at cisco.com
Mon Jun 25 10:56:16 EDT 2018
Snort3 will not natively aggregate packets from packet sources. You
need a DAQ module that will do so for you and present it to Snort as a
single stream of packets. If you specify -i N times, you will need N
packet threads (-z N) to process all of the packets. On Linux systems,
you can use AFPacket (--daq afpacket) to listen on multiple interfaces
at one time. If you run it in passive mode, it takes a colon-separated
list of interface names as its input specification (for example: -i
VLAN10:VLAN20:VLAN30:...) and will open the socket/create an RX ring for
each and round robin over them when looking for packets. There is a
fairly arbitrary limit of 32 interfaces that I threw on the AFPacket DAQ
module and I've never tested with anything close to that, but it should
work with the caveats that there will be some latency penalty for each
interface added (not a problem if you're passive rather than inline) and
the total packet buffer memory (default = 128mb) will be divided evenly
across all of the interfaces in the set. So, to monitor 50
subinterfaces, your minimum config would be to run two packet threads
with AFPacket configured to listen on 25 subinterfaces in each (-d
afpacket -i VLAN1:...:VLAN25 -i VLAN26:...:VLAN50 -z2).
Alternatively, have you considered doing policy by VLAN internally in
Snort (binder 'when' statements using VLAN criteria) and having it sniff
the aggregated, tagged traffic like Al suggested?
On 06/22/2018 10:28 AM, Moojit wrote:
> Yes I can, but I would prefer to bind to separate VLAN tags
> On 6/22/2018 8:30 AM, Al Lewis (allewi) wrote:
>> Can you span the traffic to a single interface?
>> Albert Lewis
>> ENGINEER.SOFTWARE ENGINEERING
>> Cisco Systems Inc.
>> Email: allewi at cisco.com
>> On 6/22/18, 9:29 AM, "Snort-users on behalf of Moojit"
>> <snort-users-bounces at lists.snort.org on behalf of moojit at moojit.net>
>> I have a question on using the -i switch.
>> I have approximately 50 subnets to monitor, is it possible
>> to enter a
>> range of interfaces instead of the individual -i?
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> Please visit http://blog.snort.org to stay current on all
>> the latest Snort news!
>> Please follow these rules:
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> Please follow these rules:
More information about the Snort-users