Re: Taps

[Richard Bejtlich <taosecurity () gmail com>]

Paul Halliday wrote:

I have looked at purchasing a real tap from Securicore Inc that
combines both streams into one on its own but they want 1300 CAD for
one of these which is not really in our budget atm.

What, if any, are my other options?

--

Hi Paul,

I don't recommend using the homebrew "taps."  If you want a real tap,
but can't afford the single-output version, consider a traditional
two-output tap like the Net Optics 10/100 Ethernet product. [0] It's
less than half the price of the single-output taps.

By the way, if you do want to buy a single-output tap, make sure it's
built with buffers to handle any bursts above the 100 Mbps aggregate
limit. [1]

You can use a channel-bonding solution to make the two TX outputs look
like a single virtual interface on the sensor.  I documented one
approach for FreeBSD. [2]

My book on network security monitoring has an entire chapter on the
subject of gaining access to traffic, comparing hubs, taps, SPAN
ports, and inline devices. [3]

Sincerely,

Richard
http://www.taosecurity.com

[0] http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4&Section=products&menuitem=1
[1] http://taosecurity.blogspot.com/2004_01_01_taosecurity_archive.html#107343843939477952
[2] http://www.mcabee.org/lists/snort-users/Dec-03/msg00454.html
[3] http://www.taosecurity.com/books.html


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users