Snort mailing list archives
Re: Snort and network taps
From: Jeff Nathan <jeff () snort org>
Date: Tue, 23 Apr 2002 10:54:36 -0700
counter.spy () gmx de wrote:
Hi all,
[...]
I have decided to use network taps in order to monitor switchports. Those taps have the advantage of being read-only and making switch port mirroring unessessary. Also full duplex monitoring is guaranteed this way. When using such network taps, you need two sniffing interfaces, one for each tap port, i.e. one for each direction of communication.
[...]
But now comes the real question: Wouldn't I lose the stateful inspection capability of snort when using the third method? Each snort process only sees one direction of each connection, so it cannot know if a connection has been properly established or not. It seems to me that this is a problem that most NIDS should encounter when running on tap ports, right? What would you recommend me to do, in order not to loose stateful analysis capabilities?
I have not attempted to use channel bonding and have no idea if the virtual interface appropriately abstracts the interface. The expensive but pretty much guaranteed method for using copper taps is to connect each tap port to a switch and span the two tap ports to a third port. The third spanned port can be connected directly to the IDS sensor or anything else you might want to connect it to. Understand that if the tap is tapping 100Mb full duplex, the span port can become oversaturated.
Thanks for any pointers, hints and suggestions. Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
-Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and network taps counter . spy (Apr 23)
- Re: Snort and network taps Chris Green (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- <Possible follow-ups>
- RE: Snort and network taps Wirth, Jeff (Apr 23)
- RE: Snort and network taps Fuchs Bernhard (Apr 24)