Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple "sniffing" interfaces

From: Bennett Todd <bet () rahul net>
Date: Wed, 23 Jul 2003 14:07:22 -0400
2003-07-23T12:00:10 Bryan Miller:

I was curious as to the list member's experiences with using multiple
interfaces in "sniffing" mode.


Lots of folks do it.

There are two fundamentally diffent models.

When there are multiple logically distinct nets, and the incentive
is simply to save hardware costs by letting one sensor device act as
multiple logical sensors, then you run multiple snort instances.
Note that none of the nets should be "high-traffic" (i.e. multiples
of tens of Mbps total aggregate of the lot); the aggregate capacity
of N snorts on one box is likely to be dramatically less than the
1/N times the capacity of a single snort on that box, if only due to
context switching.

The alternate model applies when you're using multiple interfaces
simply because you don't want to buy a separate box to aggregate
the traffic, but you are happy to have all the aggregated traffic
examined by one snort. Sometimes --- e.g. when nets have
high-availability with load-balancing and the packets associated
with a single connection might traverse different links, or when
you're using a network tap and the traffic in two directions is
presented on two different nics --- you really _need_ to aggregate
all the traffic into one snort instance. Other times it's not
conceptually important, you could use one snort or many, but you
don't mind aggregating it --- they all run the same config, and you
don't need the alerts to distinguish which NIC the traffic arrived
on --- and you don't want to pay the afore-mentioned performance hit
for multiple snorts on one box. In this case, you use some OS or
platform specific feature to aggregate the traffic. On some
platforms, if you want snort to monitor _all_ interfaces including
in particular the mgmt interface if any, you can tell snort to
listen to "any". I believe the snort FAQ at www.snort.org mentions
this. On some platforms, there are platform-specific drivers to
aggregate traffic from multiple NICs and present it as one logical
NIC. I've done this using the bonding driver on Linux, works great;
performance is not measureably degraded relative to having an
external device aggregate the traffic and present it on one NIC.

-Bennett

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: