Honeypots mailing list archives
Re: reassemble data from TAP
From: Richard Windmann <windmann () area52 allserve net>
Date: Thu, 14 Oct 2004 10:17:22 -0500 (CDT)
If you are using a Cisco switch, would the configuration below work? I use this and get both sides of the conversation on one switch port. interface FastEthernet0/4 description Firewall port switchport access vlan 3 interface FastEthernet0/4 description Core switch port switchport access vlan 3 ! interface FastEthernet0/5 description IDS sensor port monitor FastEthernet0/4 port monitor FastEthernet0/3 switchport access vlan 3 On Thu, 14 Oct 2004, Vladislav V. Myasnyankin wrote:
Hello, I want to use Snort (on Linux box) to analyze network flow to/from honeynet. But I have some restrictions, especially I can use only Single TAP (http://www.securicore.ca/critical_taps/singletap/) to connect sensors. This mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx pair). I am not sure, if Snort will work well in these conditions, because each sensor can analyze only half of the stream. Is there any software solution for Linux to "restore" full stream, direct it to some pseudo-NIC, then "connect" snort to this pseudo-NIC? Thanks in advance! -- regards, Vladislav V. Myasnyankin Chief Information Security Officer Bank "Severnaya Kazna". www.kazna.ru / www.internetbank.ru mvv at kazna.ru phone (343) 359-27-32, 059 fax (343) 359-27-34 Personal homepage --> http://cybervlad.net
Current thread:
- Honeywall running on SPARC? Lefti (Oct 13)
- Re: Honeywall running on SPARC? Patrick McCarty (Oct 13)
- reassemble data from TAP Vladislav V. Myasnyankin (Oct 14)
- Re: reassemble data from TAP Richard Windmann (Oct 14)
- Re: reassemble data from TAP ADT (Oct 14)
- Re: reassemble data from TAP Kyle Maxwell (Oct 14)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 15)
- Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 18)
- Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)