Re: reassemble data from TAP

[Richard Windmann <windmann () area52 allserve net>]

If you are using a Cisco switch, would the configuration below work? I use
this and get both sides of the conversation on one switch port. 

interface FastEthernet0/4
 description Firewall port
 switchport access vlan 3

interface FastEthernet0/4
 description Core switch port
 switchport access vlan 3
!
interface FastEthernet0/5
 description IDS sensor
 port monitor FastEthernet0/4
 port monitor FastEthernet0/3
 switchport access vlan 3

On Thu, 14 Oct 2004, Vladislav V. Myasnyankin wrote:

> Hello,
>
> I want to use Snort (on Linux box)  to analyze network flow to/from
> honeynet. But I have some restrictions, especially I can use only Single TAP
> (http://www.securicore.ca/critical_taps/singletap/) to connect sensors. This
> mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx
> pair). I am not sure, if Snort will work well in these conditions, because
> each sensor can analyze only half of the stream.
> Is there any software solution for Linux to "restore" full stream, direct it
> to some pseudo-NIC, then "connect" snort to this pseudo-NIC?
>
> Thanks in advance!
>
> --
> regards,
> Vladislav V. Myasnyankin
> Chief Information Security Officer
> Bank "Severnaya Kazna".
> www.kazna.ru / www.internetbank.ru
> mvv at kazna.ru
> phone (343) 359-27-32, 059
>      fax (343) 359-27-34
> Personal homepage --> http://cybervlad.net