Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Snort and network taps

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Tue, 23 Apr 2002 16:34:19 +0200
Detmar,

I tested channel bonding with linux and it works very well with taps. I
would really not use solution 3 when the interface is listening on a tap
(but I use sol 3 when listening on more than 1 interface which is connected
to a span port but not to a tap).

You will loose a lot of required information if using sol 3 with a tap
making snort nearly useless (pardon me I really mean only in that specific
configuration ;)

I hope to make some more tests using Gig taps, channel bonding and snort
this or next week.

So long,
Sandro


Hi all,

I've got a question about using Snort with network taps, but this 
question could be relevant for any other NIDS as well:

I have decided to use network taps in order to monitor switchports.
Those taps have the advantage of being read-only and making switch
port mirroring unessessary. Also full duplex monitoring is 
guaranteed this
way.
When using such network taps, you need two sniffing 
interfaces, one for
each tap port, i.e. one for each direction of communication.

Now there are three different possibilities in order to run snort
with this setup:

1.) running snort on any interface, which I would not prefer, 
because I
don't want to monitor the interface to the MySQL database, which is 
located in a separate, secured segment.

2.) using channel bonding in order to logically merge 
datastreams of both 
sniffing interfaces and let snort sniff on the virtual interface, 
which is a practice I have not tested, yet.

3.) running one snort process on each sniffing interface

Although I have heard, that the second variant works pretty good,
I would prefer the third method, since I suppose channel 
bonding is not
available for all operating systems and the third variant is better in
performance.

But now comes the real question:

Wouldn't I lose the stateful inspection capability of snort when
using the third method?
Each snort process only sees one direction of each connection,
so it cannot know if a connection has been properly established or
not.
It seems to me that this is a problem that most NIDS should encounter
when running on tap ports, right?

What would you recommend me to do, in order not to loose stateful
analysis capabilities?

Thanks for any pointers, hints and suggestions.

Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: