Stealth sensor on SPAN port w/o tap

[Robert MacKinnon <robert.mackinnon () broadpark no>]

Is it possible to have three Ethernet interfaces in a snort sensor; one 
interface connected to a management network for sensor control and 
reporting and the other two sensors connected into seperate switches 
configured in a high availability mode?  ASCII art follows:

                                    +-----------------------------+
                                     |             SW1A       |
                                    +------+------------------+-+
       +-------------+                    |                    |
--------|  SNORT +-------------------+                   |
        |              +---------------------------+        Etherchannel
        +-------------+                           |            |
                                     +-------------+-----------+-+
                                      |       SW1B             |
                                     +-----------------------------+

The etherchannel connects the switches together in a HA arrangement.  The 
snort sensors would be connected to SPAN ports monitoring local ports on 
each switch (10/100 baseT speeds).  STP would block nonactive ports so only 
one sensor at a time would be receiving data.  The interfaces would be 
stealthy.

My question arrises because I'm not sure if I would have to
-  configure two instances of snort on the same machine and give each 
sensor an ID in ACID.
or
- configure one instance of snort with multiple -i flag options.

Any opinions?  TIA.

        - Rob.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users