RE: 4-Port NIC

["Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>]

I've just finished setting up a snort sensor with 6 network interfaces on 1
box, running SuSE 9.1.

The hardware is a Dell Precision 340 with a built in 10/100 nic.
I've added 2 Intel Pro/1000 MT Dual Port Adapters and a 3Com 3C905 10/100
nic.

I use the built in port as my management interface, it's the only one with
an IP address, snort does not monitor this interface

I use channel bonding on the Dual Port Adapters giving me interface bond0
and bond1, they are connected the netoptic 10/100 Ethernet taps.  Each
interface, bond0 and bond1, has it's own instance of snort running.

I have the 3Com nic connected to a port on a Cisco switch which is
configured for network monitoring.  This interface also has it's own
instance of snort.

All 3 instances of snort are using the unified binary logging.  I also have
3 instances of barnyard running that feed the data via an ssh tunnel to my
mysql database on a different box.

All this is running fairly smoothly.  My main problem right now is memory,
the box only has 512meg, I do on occasion have a problem were snort seems to
gets swapped out.  Which obviously causes it to drop packets.  This mostly
happens when I'm logged onto the box.  I have more memory on order which I
think will solve that problem.

I don't know much about the Dlink Adapters.  After reading some reviews and
discussion here on the mailing list, check the archives, I decided to go
with the intel multi port adapters.  I believe network adapter performance
could make/break this type of configuration.

Hope that helps.

Barry


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
rpiperno () rnsservices net
Sent: Tuesday, March 08, 2005 12:27 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] 4-Port NIC



I am setting up snort and would like to have three sensors (running
FreeBSD). 
One for the public side, one for the private side and the third for the DMZ.
I
will have them reporting back to a server running MySQL and Openaanval.  I
am
considering putting in one box for the sensors using a Dlink DFE-570TX...is
this a good solution or would I be better off with three seperate boxes for
the
sensors?   I will be using Barnyard any issues with that in this
configuration?

Thanks in advance for your help!

Bob


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users