Honeypots mailing list archives
Re: reassemble data from TAP
From: Kyle Maxwell <krmaxwell () gmail com>
Date: Thu, 14 Oct 2004 17:27:46 -0500
On Thu, 14 Oct 2004 10:17:09 +0600, Vladislav V. Myasnyankin <mvv () kazna ru> wrote:
I want to use Snort (on Linux box) to analyze network flow to/from honeynet. But I have some restrictions, especially I can use only Single TAP (http://www.securicore.ca/critical_taps/singletap/ ) to connect sensors. This mean, that I need 2 NIC to receive full stream (one for Rx, one for Tx pair). I am not sure, if Snort will work well in these conditions, because each sensor can analyze only half of the stream. Is there any software solution for Linux to "restore" full stream, direct it to some pseudo-NIC, then "connect" snort to this pseudo-NIC?
Look around for "Linux channel bonding" and "interface aggregation"; that lets you aggregate multiple physical interfaces into one virtual interface. Then point your IDS, sniffer, or whatever at the new virtual interface. -- Kyle Maxwell [krmaxwell () gmail com]
Current thread:
- Honeywall running on SPARC? Lefti (Oct 13)
- Re: Honeywall running on SPARC? Patrick McCarty (Oct 13)
- reassemble data from TAP Vladislav V. Myasnyankin (Oct 14)
- Re: reassemble data from TAP Richard Windmann (Oct 14)
- Re: reassemble data from TAP ADT (Oct 14)
- Re: reassemble data from TAP Kyle Maxwell (Oct 14)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 15)
- Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)
- Re: {Spam?} Honeywall running on SPARC? Haris Koutsouris (Oct 18)
- Re: {Spam?} Honeywall running on SPARC? Valdis . Kletnieks (Oct 18)