RE: [Snort-users] 4-Port NIC
This is a discussion on RE: [Snort-users] 4-Port NIC within the Snort forums, part of the System Security and Security Related category; I've just finished setting up a snort sensor with 6 network interfaces on 1 box, running SuSE 9.1. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-08-2005
|
|||
|
|||
RE: [Snort-users] 4-Port NIC
I've just finished setting up a snort sensor with 6 network interfaces on 1
box, running SuSE 9.1. The hardware is a Dell Precision 340 with a built in 10/100 nic. I've added 2 Intel Pro/1000 MT Dual Port Adapters and a 3Com 3C905 10/100 nic. I use the built in port as my management interface, it's the only one with an IP address, snort does not monitor this interface I use channel bonding on the Dual Port Adapters giving me interface bond0 and bond1, they are connected the netoptic 10/100 Ethernet taps. Each interface, bond0 and bond1, has it's own instance of snort running. I have the 3Com nic connected to a port on a Cisco switch which is configured for network monitoring. This interface also has it's own instance of snort. All 3 instances of snort are using the unified binary logging. I also have 3 instances of barnyard running that feed the data via an ssh tunnel to my mysql database on a different box. All this is running fairly smoothly. My main problem right now is memory, the box only has 512meg, I do on occasion have a problem were snort seems to gets swapped out. Which obviously causes it to drop packets. This mostly happens when I'm logged onto the box. I have more memory on order which I think will solve that problem. I don't know much about the Dlink Adapters. After reading some reviews and discussion here on the mailing list, check the archives, I decided to go with the intel multi port adapters. I believe network adapter performance could make/break this type of configuration. Hope that helps. Barry -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of rpiperno@rnsservices.net Sent: Tuesday, March 08, 2005 12:27 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] 4-Port NIC I am setting up snort and would like to have three sensors (running FreeBSD). One for the public side, one for the private side and the third for the DMZ. I will have them reporting back to a server running MySQL and Openaanval. I am considering putting in one box for the sensors using a Dlink DFE-570TX...is this a good solution or would I be better off with three seperate boxes for the sensors? I will be using Barnyard any issues with that in this configuration? Thanks in advance for your help! Bob ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
