Re: reassemble data from TAP

["Vladislav V. Myasnyankin" <mvv () kazna ru>]

Eric,

Thanks for your suggestion!
Most likely I will use interfaces bonding, but next time i will buy
SingleStream device (http://www.securicore.ca/critical_taps/singlestream/)
instead of SingleTAP.

--
regards,
Vladislav V. Myasnyankin
Chief Information Security Officer
Bank "Severnaya Kazna".
www.kazna.ru / www.internetbank.ru
mvv at kazna.ru
phone (343) 359-27-32, 059
     fax (343) 359-27-34
Personal homepage --> http://cybervlad.net

----- Original Message ----- 
From: "Eric Hines" <eric.hines () appliedwatch com>
To: "'Vladislav V. Myasnyankin'" <mvv () kazna ru>;
<honeypots () securityfocus com>
Sent: Thursday, October 14, 2004 9:03 PM
Subject: RE: reassemble data from TAP


> Vladislav,
>
> The Critical Taps tap you linked to does not support port aggregation,
> requiring you to use (2) NICs on your Snort box to monitor the RX/TX
> traffic. The way Ethernet Taps work as you know, is it separates the RX
and
> TX streams in to (2) ports and those (2) ports are then tied to (2)
> monitoring ports for your IDS or sniffer. The problem with this is as you
> mentioned, giving Snort the capability, which is fully stateful, to see
both
> sides of the traffic on your Linux box. You have (2) options here:
>
> 1) Use the NetOptics 10/100 Port Aggregator, which aggregates both RX and
TX
> ports in to a single monitoring port for your IDS.
> 2) Bond the NIC cards in your Linux box. Their exists several links out
> there (use google) to find out how to do this. Its pretty simple. This
will
> bond both interfaces into a single interface allowing you to monitor the
> traffic with Snort and have Snort see both sides of the session.
>
> More information on the port aggregator is at:
http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Sec
> tion=products&menuitem=1
>
>
> Regards,
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, Inc.
> http://www.appliedwatch.com
> "Managing Open Source Security"
>
>
> -----Original Message-----
> From: Vladislav V. Myasnyankin [mailto:mvv () kazna ru]
> Sent: Wednesday, October 13, 2004 11:17 PM
> To: honeypots () securityfocus com
> Subject: reassemble data from TAP
>
> Hello,
>
> I want to use Snort (on Linux box)  to analyze network flow to/from
> honeynet. But I have some restrictions, especially I can use only Single
TAP
> (http://www.securicore.ca/critical_taps/singletap/) to connect sensors.
This
> mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx
> pair). I am not sure, if Snort will work well in these conditions, because
> each sensor can analyze only half of the stream.
> Is there any software solution for Linux to "restore" full stream, direct
it
> to some pseudo-NIC, then "connect" snort to this pseudo-NIC?
>
> Thanks in advance!
>
> --
> regards,
> Vladislav V. Myasnyankin
> Chief Information Security Officer
> Bank "Severnaya Kazna".
> www.kazna.ru / www.internetbank.ru
> mvv at kazna.ru
> phone (343) 359-27-32, 059
>      fax (343) 359-27-34
> Personal homepage --> http://cybervlad.net