[GLLUG] snort and dual NIC monitoring

Stanley C. Mortel mortel at cyber-nos.com
Mon May 3 17:58:37 EDT 2010


Thanks Karl.  I'll have to see if I need to keep things separated.

Take a look at this link for an el cheapo network tap.  It does require 
a special cable that splits the inputs to the two NICs.

http://www.instructables.com/id/Make-a-Passive-Network-Tap/

Stan

Karl Schuttler wrote:
> The trouble with this is that snort feeds to Barnyard, which takes
> snort's output and inputs it to your mysql database, which you are
> probably reading using BASE. You can simply run two snort commands
> using the -i flag to specify different interfaces; the trouble is that
> barnyard won't discriminate based on interface, so in BASE you'll just
> see all the traffic if it were from one nic.
>
> If you want to separate the alerts, you'll need a separate mysql
> database, snort.conf, and barnyard instance (and folder). I'm pretty
> sure on that; I went the cheapie route, and just used one.
>
> http://seclists.org/snort/2002/q2/1975 for more ideas.
>
> On Mon, May 3, 2010 at 4:20 PM, Stanley C. Mortel <mortel at cyber-nos.com> wrote:
>   
>> Has anyone got enough experience configuring snort to know if it can be set
>> to monitor traffic on two NICs at once?  What I am looking at is using a
>> passive network tap without aggregation, thus feeding the inbound and
>> outbound traffic to a box with two NICs installed using properly wired
>> unidirectional sniffing cables.  Doesn't seem like you'd need two snort
>> boxes to watch both Rx and Tx traffic going over a wire.  Anyway, I've not
>> had much luck googling this.  So before I spent much more time on it, I
>> thought I'd ask here.
>>
>> Thanks.
>>
>> Stan
>> _______________________________________________
>> linux-user mailing list
>> linux-user at egr.msu.edu
>> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>>
>>     
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.egr.msu.edu/mailman/public/linux-user/attachments/20100503/b84769d5/attachment-0001.html>


More information about the linux-user mailing list