Re: Snort IDS + TAPS

[Chris Reining <creining () packetfu org>]

Eric,
I would recommend using channel bonding module under linux to aggregate
the RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run
snort on the bonded interface.

I use it like so to bond eth0 and eth1 together to interface bond0:

/etc/modules.conf:
alias bond0 bonding
options bond0 miimon=100 downdelay=0

/etc/sysconfig/network-scripts/ifcfg-bond0:
DEVICE=bond0
USERCTL=no
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-{eth0,eth1}:
DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Note that when a program such as snort or tcpdump sets the bonded
interface in PROMISC mode it will be propagated down to the trunks.

Also see bonding.txt doc.

Hope this helps,
Chris

On Wed, Nov 12, 2003 at 01:23:45PM -0800, Eric Hines wrote:
> All:
>
> We are deploying Snort on a two interface appliance, connected to a GigE 
> Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring ports, 
> (RX split up between two ports):
>
> INTERFACE 1 - (from router -> switch) [ ] 
> INTERFACE 2 - (from switch -> router) [ ]
>
> Obviously because the RX is split up between 2 ports, if we bind Snort to 
> interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind Snort 
> to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore, we 
> must bind Snort to both interfaces to see both sides of the session. Here's 
> where the problem is. If 2 separate Snort processes are monitoring two 
> interfaces, how is the Snort on each interface going to maintain state for all 
> the connections? Each snort process only sees 1/2 of the connection! 
>
> I've spoken to someone that has said Snort requires modification to listen on a 
> tapped device because of this very issue. Someone please advise.
>
>
> -------------------------------------------
> Eric Hines
> CEO, Chairman
> Applied Watch Technologies, Inc.
> web: http://www.appliedwatch.com
> email: eric.hines () appliedwatch com
> -------------------------------------------
> Direct: (877) 262-7593 x327 - Toll Free
> Fax: (877) 262-7593 
> Main: (877) 262-7593 (9am-5pm CST)
> -------------------------------------------
> "Break free of the IDS Web Browser Prison at
> Applied Watch Technologies"
>
>
>
>
>
> ---------------------------------------------------------------------------
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
> and use priority code SF4.
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------