IDS mailing list archives
Re: Snort IDS + TAPS
From: Chris Reining <creining () packetfu org>
Date: Thu, 13 Nov 2003 11:22:53 -0500
Eric, I would recommend using channel bonding module under linux to aggregate the RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run snort on the bonded interface. I use it like so to bond eth0 and eth1 together to interface bond0: /etc/modules.conf: alias bond0 bonding options bond0 miimon=100 downdelay=0 /etc/sysconfig/network-scripts/ifcfg-bond0: DEVICE=bond0 USERCTL=no ONBOOT=yes /etc/sysconfig/network-scripts/ifcfg-{eth0,eth1}: DEVICE=eth0 USERCTL=no ONBOOT=yes MASTER=bond0 SLAVE=yes Note that when a program such as snort or tcpdump sets the bonded interface in PROMISC mode it will be propagated down to the trunks. Also see bonding.txt doc. Hope this helps, Chris On Wed, Nov 12, 2003 at 01:23:45PM -0800, Eric Hines wrote:
All: We are deploying Snort on a two interface appliance, connected to a GigE Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring ports, (RX split up between two ports): INTERFACE 1 - (from router -> switch) [ ] INTERFACE 2 - (from switch -> router) [ ] Obviously because the RX is split up between 2 ports, if we bind Snort to interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind Snort to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore, we must bind Snort to both interfaces to see both sides of the session. Here's where the problem is. If 2 separate Snort processes are monitoring two interfaces, how is the Snort on each interface going to maintain state for all the connections? Each snort process only sees 1/2 of the connection! I've spoken to someone that has said Snort requires modification to listen on a tapped device because of this very issue. Someone please advise. ------------------------------------------- Eric Hines CEO, Chairman Applied Watch Technologies, Inc. web: http://www.appliedwatch.com email: eric.hines () appliedwatch com ------------------------------------------- Direct: (877) 262-7593 x327 - Toll Free Fax: (877) 262-7593 Main: (877) 262-7593 (9am-5pm CST) ------------------------------------------- "Break free of the IDS Web Browser Prison at Applied Watch Technologies" --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- Snort IDS + TAPS Eric Hines (Nov 13)
- Re: Snort IDS + TAPS Chris Reining (Nov 13)
- <Possible follow-ups>
- RE: Snort IDS + TAPS kgeorgiades (Nov 17)
- RE: Snort IDS + TAPS PPowenski (Nov 17)