Snort mailing list archives

Re: Connecting snort bidirectionnal.

From: Jeff Nathan <jeff () snort org>
Date: Thu, 23 May 2002 21:38:04 -0700

Patrice.Arnal () alcatel fr wrote:


Hello

I have a little problem with the connection of my SNORT IDS on my provider
:

I use the "classical" stealth connection with a tap :

Internet -------------TAP----------------Firewall
                      |  |
                  out |  |in
                      |  |
                     SNORT

The problem is : the tap gives me 2 outputs connected to 2 interfaces on
my Snort box : one for
the outbound traffic and one for the inbound traffic.

So I use two instances of snort to monitor the in and the out, but I can't
make "activate" rules to work
on the answer.

As my net is full duplex, the "net-men" told me that putting a hub to
merge the in and out should
lead to collisions and loss of packets.

Any ideas ?

Patrice ARNAL
ALCANET France
Site d'ILLKIRCH
1 Route du Dr Albert SCHWEITZER
67408 ILLKIRCH CEDEX


The ports on the tap are designed to be plugged into a network
analyzer.  For the purposes of Intrusion Detection, you'll have to plug
the two tap ports into a switch and then span those two ports to a third
port.  If that third port is 100Mb and you're tapping full-duplex 100Mb
you can end up with a situation where you're pushing more data into the
span port than the media can handle (oversubscription).

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Connecting snort bidirectionnal. Patrice . Arnal (May 23)
- Re: Connecting snort bidirectionnal. Jeff Nathan (May 23)