Snort mailing list archives
Re: dual interface?
From: Bennett Todd <bet () rahul net>
Date: Fri, 25 Oct 2002 09:44:44 -0400
2002-10-24-15:13:12 Phillip Tyre:
[...] Since I was monitoring traffic outside my firewall, inside my firewall, and inside each of my DMZs I wanted to be able to configure my rules independtly, so I'm running 4 seperate instances of snort: snort -i eth0 -U -o -d -D -c /etc/snort/snort0.conf snort -i eth1 -U -o -d -D -c /etc/snort/snort1.conf snort -i eth2 -U -o -d -D -c /etc/snort/snort2.conf snort -i eth3 -U -o -d -D -c /etc/snort/snort3.conf
That's often the recommended approach. For many settings, it's easy to get enough overkill on hardware that performance isn't an issue. One time you don't want to be forced to take this approach is when you've got two or more NICs whose traffic you must consolidate, because e.g. a balanced H-A plant might have assymetric routing, with replies coming down a different side from queries, and hence both sides must be reassembled for snort to track tcp session initiation correctly. That's the circumstance that drove me to figure out the channel bonding stuff for Linux. The only alternative here is to use extra external hardware, a hub or a switch, to aggregate the traffic. Another case might be when the performance of the box is near the wall, and there's fairly active traffic on multiple of the interfaces concurrently, and you don't have at least as many CPUs as you have active snort instances. I could imagine the context switching overhead of having multiple concurrent different snorts might impact performance. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: dual interface? Phillip Tyre (Oct 24)
- Re: dual interface? Bennett Todd (Oct 25)