|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] multiple instances, three nics, one box
From: Bennett Todd (bet
rahul.net)
Date: Mon Apr 12 2004 - 20:52:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2004-04-12T21:31:17 Zondlo, Zack:
> Anyone know how to run two separate instances of snort on one box, to
> the point where they act as if on different boxes and I can get them to
> show as 1a and 1b (for example) on my management box.
Except for the last few words, you're looking for three invocations
of snort, with (perhaps) distinct -c and (surely) distinct -i
options.
Your "management box" is running some management software, and
that's not snort. That's some aftermarket add-on, as it were. The
answer "how to make the differences show up distinctly on your
management box" lies partly if not entirely in the neighborhood of
your management software. I've no clue about the RDBMS backends to
snort, never tried one. If you're syslogging and using a
syslog-based management system, you may be looking for "-I".
> I have 3 nics, one outside, one inside, one for management and I'm
> looking to use one machine to monitor both sides of the firewall
> and want to keep everything separate but not buy a second box.
As a general rule, if you have identical rules, and you want to
purely aggregate the traffic, you can get the best performance with
bonding the NICs together and having snort listen to the aggregated
bond0 interface.
If you have identical rules, but want snort to be able to
distinguish them with -I, then you may want to tell snort to listen
on -i any.
If you have different rules, you need to run separate instances of
snort, this is the most general-purpose config.
The first and third options are generally preferred, and it's nice
to have (a) a separate, unnumbered interface for each place snort
should listen, and (b) at least as many CPUs as you have concurrent
snort instances (plus one if you're doing high volumes, plus 2 if
high volumes plus significant local processing e.g. with an
aggregator or local RDBMs or whatever). If you can't hit these,
performance will be less than optimal.
-Bennett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFAe0feHZWg9mCTffwRAvB/AJ9gqe0t/gnQ+dQ6Gjv14Zgo0/6LowCfY13p
WpT/b52xk5/y6UvWfeJJus8=
=AcyY
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]