Snort mailing list archives
Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time
From: Michael Altizer via Snort-users <snort-users () lists snort org>
Date: Mon, 25 Jun 2018 10:56:16 -0400
Snort3 will not natively aggregate packets from packet sources. You need a DAQ module that will do so for you and present it to Snort as a single stream of packets. If you specify -i N times, you will need N packet threads (-z N) to process all of the packets. On Linux systems, you can use AFPacket (--daq afpacket) to listen on multiple interfaces at one time. If you run it in passive mode, it takes a colon-separated list of interface names as its input specification (for example: -i VLAN10:VLAN20:VLAN30:...) and will open the socket/create an RX ring for each and round robin over them when looking for packets. There is a fairly arbitrary limit of 32 interfaces that I threw on the AFPacket DAQ module and I've never tested with anything close to that, but it should work with the caveats that there will be some latency penalty for each interface added (not a problem if you're passive rather than inline) and the total packet buffer memory (default = 128mb) will be divided evenly across all of the interfaces in the set. So, to monitor 50 subinterfaces, your minimum config would be to run two packet threads with AFPacket configured to listen on 25 subinterfaces in each (-d afpacket -i VLAN1:...:VLAN25 -i VLAN26:...:VLAN50 -z2).
Alternatively, have you considered doing policy by VLAN internally in Snort (binder 'when' statements using VLAN criteria) and having it sniff the aggregated, tagged traffic like Al suggested?
On 06/22/2018 10:28 AM, Moojit wrote:
Yes I can, but I would prefer to bind to separate VLAN tags On 6/22/2018 8:30 AM, Al Lewis (allewi) wrote:Hello, Can you span the traffic to a single interface? Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco comOn 6/22/18, 9:29 AM, "Snort-users on behalf of Moojit" <snort-users-bounces () lists snort org on behalf of moojit () moojit net> wrote:Hello, I have a question on using the -i switch.I have approximately 50 subnets to monitor, is it possible to enter arange of interfaces instead of the individual -i? _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 3, IDS mode, Monitor Multiple Interface At Same Time Moojit (Jun 22)
- Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time Al Lewis (allewi) via Snort-users (Jun 22)
- Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time Moojit (Jun 22)
- Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time Michael Altizer via Snort-users (Jun 25)
- Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time Moojit (Jun 22)
- Re: Snort 3, IDS mode, Monitor Multiple Interface At Same Time Al Lewis (allewi) via Snort-users (Jun 22)