IDS mailing list archives
Re: port bonding and taps
From: Jeffrey.Stebelton () bisys com
Date: Thu, 2 Oct 2003 10:57:54 -0400
What we have done is to set a 10 Mb Ethernet hub up near the tap and run both tap ports into it. We then plug whatever sniffers you want into the hub and you will see both sides of the traffic. Jeff Stebelton Manager, Network Security BISYS Network Security Group 614-470-8249 direct 614-203-2563 cell |---------+----------------------------> | | "John Flynn" | | | <johnflynn@fastma| | | il.fm> | | | | | | 10/01/2003 02:53 | | | PM | | | | |---------+----------------------------> >---------------------------------------------------------------------------------------------------------------| | | | To: focus-ids () securityfocus com | | cc: | | Subject: port bonding and taps | >---------------------------------------------------------------------------------------------------------------| Hi all, I'm trying to set up various snort boxes, both on fiber and copper taps. In order to reconstruct both sides of the stream I understand that one needs to use multiple cards since the tap outputs the tx and rx on separate channels. The problem is that to make snort alert correctly one really has to aggregate the directions. This is commonly done using a spanning port, but we do not have enough of those at our facility to go around. In linux (and in general) it seems this idea is called port bonding. There is a bonding kernel module for linux and appropriate commands for setting this up (ifenslave etc), but it seems to be very poorly documented. I have tried to set up bonding multiple times and could not seem to get it to work. Does anyone have good documentation on how to do this type of set up, or perhaps a better way to do snort+taps without using a spanning port? Thanks, John Flynn -- http://www.fastmail.fm - Accessible with your email software or over the web --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any other use of this information is strictly prohibited. If you have received this email in error please notify the system manager via email at mailadmin () bisys com and delete the file immediately. Thank you for your cooperation. --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- port bonding and taps John Flynn (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 02)
- <Possible follow-ups>
- Re: port bonding and taps Jeffrey . Stebelton (Oct 02)
- Re: port bonding and taps Michael Stone (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bamm Visscher (Oct 06)
- RE: port bonding and taps PPowenski (Oct 02)
- Re: port bonding and taps Sam f. Stover (Oct 02)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Bennett Todd (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 06)
- Re: port bonding and taps Sam f. Stover (Oct 02)