Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Snort & multi-port ethernet cards

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Thu, 20 Jun 2002 17:06:48 +0200
Tom,

I'm running snort with a dlink 4 port nic with RedHat 7.2. I had to add some
aliases into /etc/modules.conf like this (assuming eth0 - 3 for the 4 port
card and the driver is compiled as a module):

alias eth0 de4x5
alias eth1 de4x5
alias eth2 de4x5
alias eth3 de4x5

Also have a look into /usr/src/linux/Documentation/networking where there
are some good documents regarding the driver for the nic which I suppose is
making trouble.

For Linux driver http://www.scyld.com/page/support/network/ is a great site.

Don't know about FreeBSD, sorry.

HTH,
Sandro


Running various versions of snort, in the 1.8 range, I've 
tried to use two
different multi-port ethernet adapters.

One is an HP ANA-6944B/TX (Adaptec OEM'd to HP), 4 x 21140

and

the other is a Znyx ZX346Q, 4 x 21143

Base systems:

1) Compaq Proliant 1850R 2x PIII cpu's, FreeBSD 4.4 & 4.5 versions

2) Compaq Proliant 1600R 2x PIII cpu's, RH Linux 7.3

In the various scenarios I have tried to use these cards, it 
seems that only
one port at a time will actually return packets.  Verified by running
tcpdump on the different ports (ie., it's not just snort!  
the symptoms are
seen as the same when trying to run two instances of tcpdump or two
instances of snort.

It is not external to the snort systems -- If I remove the 
quad card and
through in distinct nic cards, then all is well.

The problem appears to be that when the same driver is used 
for multiple
NICS, only one of the NICS will function as necessary for snort.

I would like to find a solution to this problem, as I have a 
couple of quad
cards laying around, and using these I can have a single box 
monitoring many
internal lan segments.  Otherwise I have to request 
additional boxes as
sensors.

Hopefully someone else has seen/observed this, and might have a
fix/work-around/solution....





-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: