AW: IDS using Taps & network bridging

["Poppi, Sandro" <Sandro.Poppi () wacker com>]

Hi Jim,

instead of network bridging I used the Channel Bundling feature of Linux.
It's documented in /usr/src/linux/Documentation/net/bonding.txt. Maybe
you'll give it a shot.

Ciao,
Sandro
> Hi,
>
> I'm doing some testing to see how Taps could be implimented 
> in my environment.  
> I've read some information from Snort.org and other sources 
> showing the use of 
> taps in conjunction with a switch.  I would like to eliminate 
> the switch for 
> the aggregation and I'm looking for ideas on how to do that.  
> The IDS platform 
> is snort running on Intel with Linux 2.4 Kernel.  Ideas I've 
> had so far are:
>
> 1. Hub - full duplex issues - scrapped that idea!
> 2. Bridged network cards - sniffing the bridged interface has been 
> problematic.  It works but there seems to be an ARP DoS - any 
> ideas on this 
> would be great!
> 3. Multi port NIC that has software to aggregate.  The only 
> solution I've found 
> for this only has drivers for Windows.  
>
> I'm open to any suggestions but I'm really interested in the 
> network bridging.  
> What I've done so far is: 
> -Install 3 NICs in my box
> -Bridged eth1 & eth2 to br0
> -started up the bridge
> -sniffed br0
>
> I see mostly massive amounts of ARP traffic - any help on 
> this would be 
> appreciated.
>
> Regards,
>
> Jim
>
> "Life's tough - but it's a whole lot tougher when your stupid!"