multiple interfaces on a Snort sensor

[francesco <friscom () libero it>]

In the near past (March 11-13) there were a couple of threads about the 
possibility to use multiple interfaces on a sensor, to collect alerts and 
logs from multiple sources.
One possible use could be a sensor interface before the firewall and one 
placed elsewhere, behind it.

Normally the outside interface should be configured in stealth mode, in 
order to avoid  (as much as possible) its detection from malicious sources.

The dual interface is supported (though not recommended, I understand, by 
some people who replied to the original message) by inserting the option:
        -i any
on the command line.

This configuration works also if you have a stealth mode interface, i.e. , 
you do not get error messages when you run the process but it seems that 
the logs and the alert are not from the two interfaces but only from the 
interface having the IP address.

I tried this with version 1.9.1, so I cannot confirm whether version 2.0.x 
has a different behavior.

I wish to read some comments from those who also experimented such 
configuration, that in my humble opinion could work fine (no significant 
packet loss) with some good quality ethernet cards and a fast (current) PC.



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users