IDS mailing list archives

Re: Multiple network segment monitor with Snort

From: Florin Andrei <florin () sgi com>
Date: 29 Sep 2003 13:48:37 -0700

On Wed, 2003-09-24 at 11:59, Sergio Pozo Hidalgo wrote:


Can I use the same physical machine (with as many ethernet cards as 
sensors I want to deploy) and use various and independent snort 
processes? I neither know if only one Snort process can control 
different network cards at the same time. And yes, I know that I can hog 
the sensor, but the networks are going to have little traffic (at least 
right now!).


It should be doable, but don't forget to secure the heck out of that
sensor. Like:
- disable IP forwarding
- don't assign IP addresses to the "sniffing" interfaces
- perhaps configure those interfaces to not even answer ARP requests
- etc.

-- 
Florin Andrei

http://florin.myip.org/


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Current thread:

Multiple network segment monitor with Snort Sergio Pozo Hidalgo (Sep 25)
- Re: Multiple network segment monitor with Snort Keith W. McCammon (Sep 25)
  - Re: Multiple network segment monitor with Snort Jason Haar (Sep 26)
    - RE: Multiple network segment monitor with Snort James Williams (Sep 26)
- Re: Multiple network segment monitor with Snort Anton A. Chuvakin (Sep 26)
- Re: Multiple network segment monitor with Snort Florin Andrei (Sep 30)
- <Possible follow-ups>
- RE: Multiple network segment monitor with Snort kgeorgiades (Sep 29)