Snort mailing list archives
passive tap
From: christian graf <chr.graf () gmx de>
Date: 02 Dec 2003 10:32:35 +0100
Hi, my experiences with another IDS than snort are the following: 1) the easiest solution is mirroring the e.g. 100Mbit link to a 1Gig link. Having this you are avoiding oversubscritpion and you do not have to change anything on your IDS. Thats independant from the usage of any taps. You don't need them in this scenario. 2) The worst is like other said, having two instances of SNORT/libpcap running. Huge overhead, poor performance and the loss of any stateful-capabilities / preprocessors. That will not satisfy anybody. 3) the bridging solution I tried this and the results a really bad. Bridging produces overhead and more important, as the your SNORT-device is acting like a bridge, you have to DISABLE the forwarding on your "snort-bridging-device". If not, all packets may be seen on both interfaces and therefore you get all alerts twice. I wouldn't take it. 4) the bonding yes, the bonding was a real nice success. Just enable the bonding-interface and you get what you want. You can use 2 nics, having the tapped rx and tx streams recombined in the bonding-interface and you need only one instance of snort running. I have never thought if packets may be disordered when using a bonding-interface. This could be a potential problem when thinking about statefulness and the preprocessors. But maybe anybody in this list could clarify this. regarding this limitation, point (1) is the most safe unless your switch/router is powerful enough in his mirroring capabilities. hope this helps christian ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- passive tap christian graf (Dec 02)