snort on multiple interfaces
Vlad Galu
dudu at dudu.ro
Wed Oct 28 14:43:29 UTC 2009
On Wed, Oct 28, 2009 at 4:35 PM, Andrea Venturoli <ml at netfence.it> wrote:
> Some years ago, I checked to see whether I would be able to let a single
> snort process listen on more than one NIC.
> At the time it was only possible in Linux.
>
In Linux the packet capture facility is implemented in a different
(and very inefficient manner), via raw sockets (which means that, in
order to reach userspace, a packet has to travel the whole IP stack -
including firewall - until delivery to the user process). BSD has BPF,
which basically delivers a copy of the packet to the userspace right
before it enters the IP stack for kernel processing. Each network
driver does this through the BPF_TAP() macro.
> Now, I searched a bit, but nothing new came up.
>
> Did anything improve since then? Do we still need multiple snort processes
> to listen on more than one interface?
> Can some netgraph node help with this?
You can try lagg(4) with the "loadbalance" option, ng_one2many(4),
or ng_fec(4).
>
> bye & Thanks
> av.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list