AW: (Snort-users) Snort Sensor Multi-Homed...

[<sandro.poppi () wacker com>]

> For a snort sensor (multi-homed) with the primary NIC
> connected to RFC 1918
> space and the second NIC running in promisc mode without the stack
> configured, what is the best way to configure this via the
> snort.conf file.
>
> I am mostly concerned with performance. Would it be:
>
> var HOME_NET any OR var HOME_NET $<inf>_ADDRESS
>
> var EXTERNAL_NET any OR var EXTERNAL_NET $<inf>_ADDRESS
>
>
> The idea here is to have my distributed sensors deployed
> throughout various
> nets grabbing data on the promisc net and then all reporting
> back to my
> Demarc/MySQL system via 1918 and gain maximum performance and results.

I'm running snort with 6 NICs in one machine using eth0 for connecting to our
internal network and all other NICs without ip# for snorting, using HOME_NET
any, EXTERNAL_NET any. As always rule set needs some tweeking depending on your
network.

Remember not to run the db/ACID etc. tools on the same machine since that is a
performance issue.

So long,
Sandro


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users