Snort On Multiple NICs

snort 2012. 11. 9. 11:37 |

스노트 서버에 두개이상의 NIC를 모니터링해야 할때 리눅스의 bonding기능을 사용하여  하나의 sensor로 관리할 수 있다.


@@ eth1, eth2 를 묶는 상황


==master ifcfg추가

#vi /etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0

ONBOOT=yes

USERCTL=no

#mac정보 등록하지말것


==slave가 될 ifcfg수정

#vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

HWADDR=11:11:11:11:11:11

ONBOOT=yes

USERCTL=no

MASTER=bond0

SLAVE=yes

DHCP_HOSTNAME=localhost

TYPE=Ethernet


#vi /etc/sysconfig/network-scripts/ifcfg-eth2

DEVICE=eth2

HWADDR=11:11:11:11:11:12

ONBOOT=yes

USERCTL=no

MASTER=bond0

SLAVE=yes

DHCP_HOSTNAME=localhost

TYPE=Ethernet


==modprobe.conf 수정

#vi /etc/modprobe.conf

#아래추가

alias bond0 bonding

options bond0 mode=3 miimon=100


==모듈적재

#modprobe bonding


==모듈확인

#lsmod |grep bonding



네트워크 재시작

#service network restart


확인해보자

#ifconfig


bond0     Link encap:Ethernet  HWaddr ===

          UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1

          RX packets:3356331948 errors:0 dropped:1237 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1833559479666 (1.6 TiB)  TX bytes:0 (0.0 b)


eth0      Link encap:Ethernet  HWaddr ===

          inet addr:192.168.25.238  Bcast:192.168.25.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:109870 errors:0 dropped:0 overruns:0 frame:0

          TX packets:57559 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:10922558 (10.4 MiB)  TX bytes:46141080 (44.0 MiB)

          Interrupt:162 Memory:f4000000-f4012800


eth1      Link encap:Ethernet  HWaddr ===

          UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:2905684886 errors:0 dropped:1221 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1732421175495 (1.5 TiB)  TX bytes:0 (0.0 b)

          Interrupt:170 Memory:f2000000-f2012800


eth2      Link encap:Ethernet  HWaddr ===

          UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:450647062 errors:0 dropped:16 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:101138304171 (94.1 GiB)  TX bytes:0 (0.0 b)

          Interrupt:178 Memory:f8000000-f8012800



##snort 시작옵션

snort -i bond0 ....

'snort' 카테고리의 다른 글

이벤트별 DB분류 저장  (0) 2013.01.12
Managing Snort Alerts  (0) 2013.01.11
snort 퍼포먼스 모니터링  (0) 2012.09.11
snort-sms연동(bash)  (0) 2012.04.19
snort 룰설정  (0) 2012.03.21
Posted by applicationlayer
: