Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Monitoring GigE links without a mirror port

From: "Daniel Wiley" <dwiley () masergy com>
Date: Thu, 28 Mar 2002 10:15:24 -0500
The Problem:
Monitoring Full-Duplex Gigabit Ethernet links without spending
thousands!

After weeks of playing with splitters and switches I was getting
disappointed that I couldn't get full-duplex Gigabit Ethernet monitoring
without a switch (for aggregation or mirroring) a tap and a snort box.
Using basically the same methodology that Check Louie at
http://rr.sans.org/intrusion/internal.php used which was working without
a hitch but there are three problems.

1. Taking both TX connections and bundling the two TX's on the switch
into a single gigabit line could cause large packet loss at anything
over 1 gigabit.
2. Switches cost A LOT of $$$$$ especially with multiple Gig ports and
mirroring.
3. Multiple fiber taps are also expensive.

Port mirroring work's ok if you have a switch that supports it, but it
uses a considerable amount of processor, and in my environment the
switch in question can't do port mirroring reliably. 

So I was thinking....To reduce the need for a switch with mirroring and
to cut costs why not use two GigE cards. I could use a single GigE tap
and try to get snort running in parallel over two cards (not an easy
task).  So it came to me why not use the bonding feature in Linux...

Here is what it looks like

|------|        TX        |------|
|ROUTER|--------------|SWITCH|
|      |         Tap  |      |
|        |--------------|      |
|------|    RX  |   --------
                        |
                        |
                     / \
                    /   \
                   TX    TX
                --------------
                |  Linux/Snort|
                ---------------

Each one of the TX lines is terminated into the RX port on a single GigE
nic (TX on the Nics are not used). In my case I used an all Intel box
with Intel GigE nics.  After getting bonding in the kernel and working I
put all the nics into the bonded interface and put them all into promisc
mode fired up snort on the bonded interface and everything works great.
I'm in the process of testing the stability of this setup and if anyone
is interested I'll email you the results.  

So my big question to the list is performance.  I know the limitations
of snort at this point but I wonder if anyone else has tried anything
like I have and what there experience has been. 

Thanks,
Daniel 





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: