Tap traffic reassembly using OpenBSD bridge?

[Douglas <Douglas () es telecomet co uk>]

Hi,

I wasn't able to find any information on this mentioned previously so apologies if it is has been posted before. Also 
I've only tested this on OpenBSD 3.1 so have no idea if it works on other operating systems.

Under OpenBSD if the two interfaces connected to the tap output ports are configured to be members of a bridge (learn 
and discover disabled), then it is possible for snort to sniff off the virtual "bridge0" interface and capture all 
traffic from the tap. This way the two traffic streams from the tap are reassembled without the need of an intermediary 
switch or other device. Also there should be no oversubscription on the bridge0 interface as it it not limited to 
100Mbps.

Expanding this, if one or more output interfaces are added to the bridge (learn disabled) then it is possible to use pf 
to filter the traffic passing out of these interfaces. So for example there could be multiple IDS sensors connected to 
the bridging system, with the output to these sensors individually filtered by port, destination address etc.

Can anyone comment on if they can see any disadvantages/faults to this method? Is this a viable alternative to using a 
dedicated switch or other device for tap traffic reassembly?


Doug



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users