Snort mailing list archives
AW: Snort and network taps
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Tue, 23 Apr 2002 16:34:19 +0200
Detmar, I tested channel bonding with linux and it works very well with taps. I would really not use solution 3 when the interface is listening on a tap (but I use sol 3 when listening on more than 1 interface which is connected to a span port but not to a tap). You will loose a lot of required information if using sol 3 with a tap making snort nearly useless (pardon me I really mean only in that specific configuration ;) I hope to make some more tests using Gig taps, channel bonding and snort this or next week. So long, Sandro
Hi all, I've got a question about using Snort with network taps, but this question could be relevant for any other NIDS as well: I have decided to use network taps in order to monitor switchports. Those taps have the advantage of being read-only and making switch port mirroring unessessary. Also full duplex monitoring is guaranteed this way. When using such network taps, you need two sniffing interfaces, one for each tap port, i.e. one for each direction of communication. Now there are three different possibilities in order to run snort with this setup: 1.) running snort on any interface, which I would not prefer, because I don't want to monitor the interface to the MySQL database, which is located in a separate, secured segment. 2.) using channel bonding in order to logically merge datastreams of both sniffing interfaces and let snort sniff on the virtual interface, which is a practice I have not tested, yet. 3.) running one snort process on each sniffing interface Although I have heard, that the second variant works pretty good, I would prefer the third method, since I suppose channel bonding is not available for all operating systems and the third variant is better in performance. But now comes the real question: Wouldn't I lose the stateful inspection capability of snort when using the third method? Each snort process only sees one direction of each connection, so it cannot know if a connection has been properly established or not. It seems to me that this is a problem that most NIDS should encounter when running on tap ports, right? What would you recommend me to do, in order not to loose stateful analysis capabilities? Thanks for any pointers, hints and suggestions. Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Snort and network taps Poppi, Sandro (Apr 23)