Honeypots mailing list archives
Re: reassemble data from TAP
From: "Vladislav V. Myasnyankin" <mvv () kazna ru>
Date: Fri, 15 Oct 2004 09:41:25 +0600
Eric, Thanks for your suggestion! Most likely I will use interfaces bonding, but next time i will buy SingleStream device (http://www.securicore.ca/critical_taps/singlestream/) instead of SingleTAP. -- regards, Vladislav V. Myasnyankin Chief Information Security Officer Bank "Severnaya Kazna". www.kazna.ru / www.internetbank.ru mvv at kazna.ru phone (343) 359-27-32, 059 fax (343) 359-27-34 Personal homepage --> http://cybervlad.net ----- Original Message ----- From: "Eric Hines" <eric.hines () appliedwatch com> To: "'Vladislav V. Myasnyankin'" <mvv () kazna ru>; <honeypots () securityfocus com> Sent: Thursday, October 14, 2004 9:03 PM Subject: RE: reassemble data from TAP
Vladislav, The Critical Taps tap you linked to does not support port aggregation, requiring you to use (2) NICs on your Snort box to monitor the RX/TX traffic. The way Ethernet Taps work as you know, is it separates the RX
and
TX streams in to (2) ports and those (2) ports are then tied to (2) monitoring ports for your IDS or sniffer. The problem with this is as you mentioned, giving Snort the capability, which is fully stateful, to see
both
sides of the traffic on your Linux box. You have (2) options here: 1) Use the NetOptics 10/100 Port Aggregator, which aggregates both RX and
TX
ports in to a single monitoring port for your IDS. 2) Bond the NIC cards in your Linux box. Their exists several links out there (use google) to find out how to do this. Its pretty simple. This
will
bond both interfaces into a single interface allowing you to monitor the traffic with Snort and have Snort see both sides of the session. More information on the port aggregator is at:
http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Sec
tion=products&menuitem=1 Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, Inc. http://www.appliedwatch.com "Managing Open Source Security" -----Original Message----- From: Vladislav V. Myasnyankin [mailto:mvv () kazna ru] Sent: Wednesday, October 13, 2004 11:17 PM To: honeypots () securityfocus com Subject: reassemble data from TAP Hello, I want to use Snort (on Linux box) to analyze network flow to/from honeynet. But I have some restrictions, especially I can use only Single
TAP
(http://www.securicore.ca/critical_taps/singletap/) to connect sensors.
This
mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx pair). I am not sure, if Snort will work well in these conditions, because each sensor can analyze only half of the stream. Is there any software solution for Linux to "restore" full stream, direct
it
to some pseudo-NIC, then "connect" snort to this pseudo-NIC? Thanks in advance! -- regards, Vladislav V. Myasnyankin Chief Information Security Officer Bank "Severnaya Kazna". www.kazna.ru / www.internetbank.ru mvv at kazna.ru phone (343) 359-27-32, 059 fax (343) 359-27-34 Personal homepage --> http://cybervlad.net
Current thread:
- Re: reassemble data from TAP Vladislav V. Myasnyankin (Oct 15)