Re: Port Aggregator Tap alternatives for snort sensor

["Stephen Reese" <rsreese () gmail com>]

> Sounds like an excellent case for the use of BPF filters and multiple
> instances of snort.
>
> instance 1 - snort <params> net 10.0.0./8
> instance 2 - snort <params> not net 10.0.0./8
>
> This way you will make SURE that anything the first instance doesn't
> grab the second one will.
>
> > I can use the same sensor but then all of the traffic would also be
> >  piled into one database and/or alerts.
>
> Regarding the database, you can use the sensor_id (not sure if that is
> exactly right) parameter of the output database plug-in to identify
> which instance of snort logged each alert in BASE or whatever you are
> using.

Is anyone have a configuration using multiple network taps and one box
for snort?

---internet----> TAP ---router---> TAP ----network cloud---

I'm planning on using the following configuration:

var HOME_NET [68.156.63.111,172.16.2.0/24]
var EXTERNAL_NET !$HOME_NET

The 68.x.x.x is my external IP where there is a sensor so I can see
all of the traffic coming in. The 172.x.x.x is for my internal network
where there will be a sensor placed after the router. Is this the
proper way to do this using one snort process or should I use two
snort processes with separate config files?

Thanks

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users