Re: IDS using Taps & network bridging

From: Bennett Todd (
Date: 11/27/02

  • Next message: Chiara Sambi: "span and stacking switch and MSFC"
    Date: Wed, 27 Nov 2002 09:38:11 -0500
    From: Bennett Todd <>

    Rather than bridging the eth interfaces, try bonding them; the
    invocations looks something like

            grep bond0 /etc/modules.conf >/dev/null || \
                    echo alias bond0 bonding >>/etc/modules.conf
            /sbin/ifconfig bond0 promisc up
            /sbin/ifconfig eth1 up
            /sbin/ifenslave bond0 eth1
            /sbin/ifconfig eth2 up
            /sbin/ifenslave bond0 eth2
            snort -i bond0 ...

    The bonding interface is described in the kernel Documentation
    directory, in networking/bonding.txt. When you are doing unnumbered
    interfaces as above for sniffing, ifenslave(1) whinges a lot, since
    it wants to propagate addresses back and forth, to support H-A
    setups and etherchannel and the like. But just ignore the
    complaints, it seems to work fine.