Snort mailing list archives
RE: 4-Port NIC
From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Tue, 8 Mar 2005 09:01:29 +0900
I've just finished setting up a snort sensor with 6 network interfaces on 1 box, running SuSE 9.1. The hardware is a Dell Precision 340 with a built in 10/100 nic. I've added 2 Intel Pro/1000 MT Dual Port Adapters and a 3Com 3C905 10/100 nic. I use the built in port as my management interface, it's the only one with an IP address, snort does not monitor this interface I use channel bonding on the Dual Port Adapters giving me interface bond0 and bond1, they are connected the netoptic 10/100 Ethernet taps. Each interface, bond0 and bond1, has it's own instance of snort running. I have the 3Com nic connected to a port on a Cisco switch which is configured for network monitoring. This interface also has it's own instance of snort. All 3 instances of snort are using the unified binary logging. I also have 3 instances of barnyard running that feed the data via an ssh tunnel to my mysql database on a different box. All this is running fairly smoothly. My main problem right now is memory, the box only has 512meg, I do on occasion have a problem were snort seems to gets swapped out. Which obviously causes it to drop packets. This mostly happens when I'm logged onto the box. I have more memory on order which I think will solve that problem. I don't know much about the Dlink Adapters. After reading some reviews and discussion here on the mailing list, check the archives, I decided to go with the intel multi port adapters. I believe network adapter performance could make/break this type of configuration. Hope that helps. Barry -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of rpiperno () rnsservices net Sent: Tuesday, March 08, 2005 12:27 AM To: snort-users () lists sourceforge net Subject: [Snort-users] 4-Port NIC I am setting up snort and would like to have three sensors (running FreeBSD). One for the public side, one for the private side and the third for the DMZ. I will have them reporting back to a server running MySQL and Openaanval. I am considering putting in one box for the sensors using a Dlink DFE-570TX...is this a good solution or would I be better off with three seperate boxes for the sensors? I will be using Barnyard any issues with that in this configuration? Thanks in advance for your help! Bob ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 4-Port NIC rpiperno (Mar 07)
- <Possible follow-ups>
- RE: 4-Port NIC Basselgia, Barry A Mr (NAF Atsugi) (Mar 07)