Newbie needs QuadNIC stealth config advice

[Jeff Newton <Jeff_Newton () pmc-sierra com>]

I'm a little confused how exactly to deploy this sensor.  I'm hoping the
list can provide me with some advice after I describe what I want to do:

Sensor has 5 interfaces, one in-band that I want to use for admin and
logging to a db, and 4 out-of-band that I want to use for sniffing. 
Each one of the 4 out-of-band interfaces will go to a different subnet
(duh), some external, some on the DMZ, and some internal.

With that said, a few things confuse me:

1)  Should I run a seperate instance of snort for each interface?  This
would allow different rule sets for each interface, correct?  I noticed
I can run snort -i eth0 -i eth1 -i eth2 ... but I'm not sure each
interface using the same snort.conf is a good thing.

2)  What should I set my HOME_NET to?  Should I list ALL my internal
network ranges, excluding DMZs?  When I set EXTERNAL_NET to any, does
sort read that as any except HOME_NET?  I assume these variables are
used with rule directions - ie. RPC from an internal net is ok, but RPC
from an external net is cause for alert.

3)  Any other caveats I should be looking out for running QuadNIC
sensor?

Thanks in advance for any advice!

-- 
Jeff Newton

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users