Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Bonding or bridging two subnets

from [barryab63-ia] Network Security [Permanent Link]
Subject: Re: [Snort-users] Bonding or bridging two subnets
Date: Wed, 28 Dec 2005 04:21:51 -0800 (PST) 
Robert, 
 
Not to sure about the processor, I've found memory to be more of a limiting 
factor when running multiple instances of snort.  It is a good idea to have it 
logging to another box.
 
If you use bonding on the interfaces they basically become 1 virtual interface, 
you wouldn't be able to address the 2 interfaces separately anymore.  So, I 
don't think that will work for what you've described.
 
I'd suggest trying the multiple instances and see how it works.  You make get 
some packet lost if you run low on processor or memory.  In which case you'd 
have to look at trying something else.
 
Barry


----- Original Message ----
From: Robert Welz <welz@fixe-post.de>
To: barryab63-ia@yahoo.com
Sent: Wednesday, December 28, 2005 9:11:21 PM
Subject: Re: [Snort-users] Bonding or bridging two subnets


barryab63-ia@yahoo.com wrote:

Robert,
 
First, lets try to head something off before it gets started.  It's not a 
good idea to post the same question twice, especially within minutes of each 
other.  This is a free support and it can take time to get answers.  Some 
people get very irritated about this.
 
I don't think you'll want to bond or bridge the two interfaces in the case 
you describe.  I think you'll want to run multiple instances of snort, one 
for each of the two interfaces you want to monitor.  If you installed via RPM 
on SUSE I think you can do this by changing the settings in the 
/etc/sysconfig/snort file.  You just tell it which interfaces you want snort 
to monitor and it pretty much takes care of everything for you.
 
Barry


Thank you. I have had an immediate response from anjah@immedia.fr which made me 
thought my message was rejected becourse of using utf-8 (unicode) as charset. 
It took 
some time to figure out that it was an automated "We are on holliday" or 
something 
like that. I speak no french.

I apologise for that.

Runnig two processes of snort on the same machine has more computing costs than 
running one process? I have 3 Gigabit (although 32Bit cards) which I want to 
observe. 
Will my 2.6 GHZ Celeron be enough? I plan logging to a different machine though.
Thanks,
Robert


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Bonding or bridging two subnets, barryab63-ia
Next by Date:  Re: [Snort-users] Bonding or bridging two subnets, Robert Welz
Previous by Thread:  Re: [Snort-users] Bonding or bridging two subnets, barryab63-ia
Next by Thread:  Re: [Snort-users] Bonding or bridging two subnets, Robert Welz
Indexes:  [Date] [Thread] [Top] [All Lists]