[GLLUG] snort and dual NIC monitoring

Karl Schuttler karl.schuttler at gmail.com
Mon May 3 17:50:16 EDT 2010


The trouble with this is that snort feeds to Barnyard, which takes
snort's output and inputs it to your mysql database, which you are
probably reading using BASE. You can simply run two snort commands
using the -i flag to specify different interfaces; the trouble is that
barnyard won't discriminate based on interface, so in BASE you'll just
see all the traffic if it were from one nic.

If you want to separate the alerts, you'll need a separate mysql
database, snort.conf, and barnyard instance (and folder). I'm pretty
sure on that; I went the cheapie route, and just used one.

http://seclists.org/snort/2002/q2/1975 for more ideas.

On Mon, May 3, 2010 at 4:20 PM, Stanley C. Mortel <mortel at cyber-nos.com> wrote:
> Has anyone got enough experience configuring snort to know if it can be set
> to monitor traffic on two NICs at once?  What I am looking at is using a
> passive network tap without aggregation, thus feeding the inbound and
> outbound traffic to a box with two NICs installed using properly wired
> unidirectional sniffing cables.  Doesn't seem like you'd need two snort
> boxes to watch both Rx and Tx traffic going over a wire.  Anyway, I've not
> had much luck googling this.  So before I spent much more time on it, I
> thought I'd ask here.
>
> Thanks.
>
> Stan
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>


More information about the linux-user mailing list