Re: Couple of quick questions

[Bennett Todd <bet () rahul net>]

I can't help with snorting non-ethernet interfaces (cipe or pptp
vpn, ppp) but:

2004-03-23T20:44:18 Charles Lacroix:
> While we are at it, can it listen to bonded interfaces like 
> bond0 which joins a couple of interfaces together.

that I can answer, at least in part.

I've deployed snort listening on bonded eth interfaces successully.
The one quirk, which may have been fixed since, was that promisc
wasn't being passed down from bond0 to the bonded ethN interfaces
when snort tried to set promisc; the simple fix was to explicitly
ifconfig bond0 promisc before ifenslaving the ethN interfaces;
promisc _is_ propogated down to the ethN interfaces at ifenslave
time.

There's been talk since on the bonding-devel list about propogating
such attribute changes from bond0 down to the bonded ethN whenever
they're set on bond0; I've not paid close enough attention to know
whether they've made it into the stock kernel versions, or if so
when. bonding.txt has a note in it describing the issue, and also
noting that if you're doing an unnumbered interface (common for
snort applications) ifenslave will spew a bunch of errors about lack
of addresses, which can all be ignored.

-Bennett

Attachment: _bin
Description: