Re: Bridge IDS

[Stephen Samuel <samuel () bcgreen com>]

I have an OpenBSD box set up with 3 interfaces. One faces the internet.
The second is bridged to tehe outside interface with  PF filtering.
The third is behind  a NAT.

It'd be pretty easy to add SNORT filtering to the setup, but I'd
be inclined to upgrade the box (it's a P100)  Works fine for a 1.5 Megabit
ADSL link and even handled 10Megabits between my net and my roommates net
(we had separate nets linked by a 10Megabit hub to a cable connection
(capable of 3megabit late at night).

I did some simple burst stress testing over the 10megabit link, and the
box  seemed to work just fine.

Lee Sheng wrote:
> All,
>
>
> Perhaps this is silly question, however I wanna know that if bridge 
> firewall can be done, how about building a bridge IDS. I know there is 
> snort-inline(consoder IPS) that we can use but what I mean is just snort 
> without patching. Using three network interface, two for building a 
> bridge and one for console. Can it be done? Tap is far too expensive for 
> individual like me :)
>
> Any suggestion would be appreaciated! Thanks.
>
>
> Regards,
> Lee



--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
     the jewel within each person and bringing it to light.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------