Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort 1.9.1 Dual Sensor

From: "Grime, Richard S" <richard.grime () imperial ac uk>
Date: Thu, 13 Mar 2003 09:59:49 -0000
Does this mean there's a significant performance overhead to running with
bonded interfaces?

I can see that's it's just the same as running two instances - but this is
for convenience as it allows easy correlation of data, seeing as we only
have one set of logs.

I know we could run external analysis tools, but the data is summarised for
us by DeepSight - so I only want to check the Pcap occasionally - and then
don't really want to be concerned with figuring out which interface the data
was captured on.

I'm not sure which feature you're thinking shouldn't be added?  As the
interfaces are bonded, we only need to use Snort's standard functionality as
in:

snort -i bond0 ...

Thanks for the input,

Richard

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: 12 March 2003 20:14
To: Grime, Richard S; ANTONIO GUTIERREZ; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort 1.9.1 Dual Sensor


In that situation the FAQ is still applicable..

The proper way to do multiple interfaces if "any" doesn't suit or is not an 
option on your OS is to run multiple snort instances.

AFKAIK there's no way to specify multiple interfaces to the pcap layer, so 
any "built in" support for multiple interfaces would be just as 
heavy-weight on your system as running multiple copies of snort because 
that's more-or-less what snort would wind up having to do internally. (some 
very limited resources sharing would be possible, but probably not enough 
to be worth the effort)

Since there'd be no significant performance advantage, and it would be 
hiding the heavy performance impact, I'd not expect to see this feature 
added to snort anytime soon, but I'm not a developer of snort, so don't 
quote me on it.


At 10:12 AM 3/12/2003 +0000, Grime, Richard S wrote:

Also, we run it using bonded interfaces, as the "any" isn't much good when
there's a management interface you don't want to look at.


-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: 11 March 2003 23:05
To: ANTONIO GUTIERREZ; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 1.9.1 Dual Sensor


This is FAQ number 3.4:

http://www.snort.org/docs/faq.html#3.4

At 04:06 PM 3/11/2003 -0600, ANTONIO GUTIERREZ wrote:

Can Snort monitor or Collect data on  two NICS? if so How?



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: