Snort mailing list archives
Re: snort behind TAP & asynchronous_link
From: Chris Green <cmg () sourcefire com>
Date: Thu, 15 Aug 2002 10:36:56 -0400
Holger.Woehle () arcor net writes:
You are right about the function of the Tap splitting the traffic. If i use bond0 with two devices on both Tap-ends everything works... So, why wouldn't i do that ? I have to observe a redundant ethernet infrastructur. For this reason i have to use bond0 to merge Tap A from two Taps. That means 2 x 100mbit, wich is a lot of traffic, but it works! If i try to catch the answers at Tap B, i have a bonding interface with 4 x 100mbit... only to be able to make stream assembly work. I think thats to high the price. But let us talk about that opinion: I don't need any rules observing the server answers. Does the backwarding traffic stresses snort heavily even without rules ? I think yes : Snort has to examine every packet so i think i would have a lot of paket losses, wouldn't i ?
It's your trade off and its dependent on your configuration. The way asynchronous_link assembly has to work is just queuing up packets from remote clients and then pushing them though the detection engine rather than seeing what packets the server expects to see. This means that a session running in asynchronous_link mode does not have the same type of defenses against snot type attacks. Perfect world: look at both sides Other worlds: choose what works for you in your environment. -- Chris Green <cmg () sourcefire com> "Yeah, but you're taking the universe out of context." ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort behind TAP & asynchronous_link Holger . Woehle (Aug 15)
- Re: snort behind TAP & asynchronous_link Chris Green (Aug 15)
- Re: snort behind TAP & asynchronous_link Chris Green (Aug 15)
- Re: snort behind TAP & asynchronous_link Ian Macdonald (Aug 15)
- Re: snort behind TAP & asynchronous_link Chris Green (Aug 16)
- <Possible follow-ups>
- Re: snort behind TAP & asynchronous_link Holger . Woehle (Aug 15)
- Re: snort behind TAP & asynchronous_link Chris Green (Aug 15)
- Re: snort behind TAP & asynchronous_link Chris Green (Aug 15)