Re: Question about Inline mode

[John Liss <john () lissproductions com>]

> Helpful as they were, I still have the following questions.
>
> When using either NFQ or the DAQ modules, are the interfaces bonded 
> together?  I completely understand that the Management interface is 
> assigned an IP Address, a gateway and a network (subnet mask).
>
> What happens to the two interfaces used in inline mode?  If I place 
> the sensor inline, are the interfaces numbered?  DO I need to fully 
> provide networking (routing) between the interfaces?

With --daq afpacket, the pair of interfaces become a bridge.

Setup on ubuntu 10.04:

The interface setup:

auto eth0
iface eth0 inet manual
         up ifconfig $IFACE <your mgt ip> up

auto eth1
iface eth1 inet manual
         up ifconfig $IFACE 0.0.0.0 up
         up ip link set $IFACE promisc on
         down ip link set $IFACE promisc off
         down ifconfig $IFACE down

auto eth2
iface eth2 inet manual
         up ifconfig $IFACE 0.0.0.0 up
         up ip link set $IFACE promisc on
         down ip link set $IFACE promisc off
         down ifconfig $IFACE down


Running snort:
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort.conf -i 
eth1:eth2 -D

Network on eth1, becomes the same network on eth2, known as a bridge.

It works wonderfully and drops packets as advertised.


> > > Does the inline mode require two interfaces?
> > >
> > > Can Snort support multiple networks, simultaneously?  Does this reduce
> > > the throughput capability of the monitor?
Inline requires two interfaces.

Internet  router <-> eth1 <- snort -> eth2 <-> firewall <-> internal.

Yes you can run multiple networks on a single box.
You just need enough horse power in the box for snort to keep up with 
the traffic, and enough interfaces to act as bridges.

Example:  You have a monster box with 10 network cards in it, and enough 
cpu/memory to run multiple instances of snort.
You would just run snort over the interfaces:

Network setup:
eth0 = management.
eth1:eth2 = first bridge.
eth3:eth4 = second bridge.
eth5:eth6 = third bridge.
eth7:eth8 = fourth bridge.
etc...

Snort setup:
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort1.conf -i 
eth1:eth2 -D
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort2.conf -i 
eth3:eth4 -D
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort3.conf -i 
eth5:eth6 -D
etc...


I personally would still tend to lean towards 4 individual boxes in 
production environments.  That way if you loose a box for whatever 
reason, one network segment is only affected.

Development or test networks where traffic isn't critical, sure, toss 
them all on one box.  (But who has one of those?  My networks are all 
classified as must have up.)

-John
> > Multiple networks can be supported but of course band width is the
> > consideration here along with the strength of the Snort sensor. There
> > are better people on this list to answer than me but depending on the
> > size/bandwidth considerations you may want to consider using 4 sensors
> > that report to a main server for analysis. Like I said, others on this
> > list can help there as I have no experience here. Search the Google
> > Groups list too.
> Four sensors and a Main Server is an exceptional idea.  Thank you for 
> that.
>
> From reading the above sites listed, it would seem that afpacket is 
> the method to use for inline use.  Is there a consensus here?
>
> > Hope this serves at least as a start to answer your questions.
> > Bill


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!