Re: dual interface?

[Phillip Tyre <phillip_tyre () yahoo com>]

Daniel, I'm new to snort, but I have been having good luck so far with the following. Maybe some of the more 
experienced people could give a critique of any problems the following might cause.

For 609.00 US last week you could buy a P4 2ghz dell with 512mb of ram. So I did. That didn't leave a lot of play money 
for nics, so in addition to the onboard 10/100 nic, I raided the supply box and came up with a handful of 3coms, all 
different models and vintages. I slapped 4 of them in my sensor box running 7.3 Redhat, and brought them up.

I wanted to use the onboard nic for my SQL logging/managment interface, and it always defaulted to the highest number 
eth4, so I configured it with an IP address, then brought up the other nics with no IP address:

ifconfig eth0 up
ifconfig eth1up
ifconfig eth2 up
ifconfig eth3 up

Since I was monitoring traffic outside my firewall, inside my firewall, and inside each of my DMZs I wanted to be able 
to configure my rules independtly, so I'm running 4 seperate instances of snort:

snort -i eth0 -U -o -d -D -c /etc/snort/snort0.conf
snort -i eth1 -U -o -d -D -c /etc/snort/snort1.conf
snort -i eth2 -U -o -d -D -c /etc/snort/snort2.conf
snort -i eth3 -U -o -d -D -c /etc/snort/snort3.conf

Processor utilization doesn't seem to be out of control, but that could be because I went the overkill route on the 
hardware platform. 

Hope this helps, and I welcome any feedback.

Phillip Tyre


 



---------------------------------
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site