Snort mailing list archives
RE: Span Port to Fiber Tap Problems
From: "Dusty Hall" <halljer () auburn edu>
Date: Thu, 23 Oct 2003 12:28:55 -0500
We figured out the problem... We previously thought that we only needed one fiber NIC in our Snort system but it turns out we over looked that the tap turns the traffic into two Rx streams, this means we would have to use two fiber NIC's (because you can only have on Rx channel per NIC). After reading some old posts on Bonding we combined two NIC's into bond0 which Snort is able to use. Everything seems to be working like a champ at the moment. Is there any disadvantage to the way we have ours setup to the way Vjay suggests? -Dusty ----- Dusty Hall Network Security Specialist Auburn University
"larosa, vjay" <larosa_vjay () emc com> 10/21/2003 11:30:40 PM >>>
Mike I tried to reply directly but mail to you is bouncing, hopefully you and some other people on the list will find this diagram helpful. I whipped it up quick, hope it isn't to confusing. vjl -----Original Message----- From: larosa, vjay Sent: Wednesday, October 22, 2003 12:25 AM To: 'kudzu () tenebras com' Subject: FW: [Snort-users] Span Port to Fiber Tap Problems Okay, see if this makes sense to you. If not maybe we should talk on the phone. vjl -----Original Message----- From: Michael Sierchio [mailto:kudzu () tenebras com] Sent: Tuesday, October 21, 2003 11:06 PM To: larosa, vjay Subject: Re: [Snort-users] Span Port to Fiber Tap Problems larosa, vjay wrote:
Your fiber tap has a send and receive in one cable now. You need to
split
the cable, plug half of each side in to a small switch (Cisco 3500 XL
8 port
gig with auto negotiation turned off) then span the two ports back in
to one
port where you plug in your snort sensor. The Gigabit line you have
snort
plugged in now is only presenting half of the conversation to snort
so
stream4 is not allowing the packets to be processed because it is
only
seeing half of the conversation. Let me know if you need more help, I
have
this setup in several places.
vjay - I for one do wish you'd expand a bit (got any diagrams or photos?). I've done copper taps, but never fiber taps, so am concerned about doing it right and getting all the packets. Thanks, Michael ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Span Port to Fiber Tap Problems Dusty Hall (Oct 20)
- <Possible follow-ups>
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 20)
- Re: Span Port to Fiber Tap Problems Shawn Truax (Oct 23)
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 23)
- RE: Span Port to Fiber Tap Problems Dusty Hall (Oct 23)
- Re: Span Port to Fiber Tap Problems Jeff Nathan (Oct 25)