Re: Multiple sensors?

[Keg <snrtlst () netscape net>]

1. I sniff firewall ports (which are connected to the corresponding 8 
segments), in that sense-yes I can see/sniff all traffic.
2. Most of the traffic is incoming from internet (public NIC), the rest 
are dedicated segments for Internal WAN/VPNe we run on dedicated lines.]
So here is the plan:
1 box will have 2 NICs and it will sniff incoming internet traffic and 
DMZ access (-i any will be used)
2nd box will have 5 NICs and will sniff the rest of the firewall ports 
connected to the rest of the segments (-i any will be used)

So you say it is an acceptable configuration as long as boxes are beefy 
enough to accomodate the traffic flow?



Erek Adams wrote:

> On Tue, 18 Mar 2003, Keg wrote:
>
>  
>
> > I have 8 segments to monitor, should I install 8 snort boxes or can I
> > use 1 box with 8 NICs running 8 instances of snort on different interfaces?
> > Thank you.
> >    
>
> It depends.
>
> Does your Snort box sit in the network in such a way that it can see all
> the traffic?  If it's running Linux 2.4+ kernel simply use "-i any" to
> snarf traffic from all the interfaces.  Otherwise, you could bridge, bond,
> or trunk interfaces into one logical interface for sniffing.  How much
> sustained traffic?  How much bursting traffic?  Tuned ruleset?
>
> It's not an exact science.  It's more along the lines of Voodoo.  And see,
> they said being from Louisiana woudln't be useful!  ;-)
>
> Cheers!
>
> -----
> Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>  

--
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop@Netscape! 
http://shopnow.netscape.com/