Re: snort behind TAP & asynchronous_link

[Chris Green <cmg () sourcefire com>]

Holger.Woehle () arcor net writes:

> You are right about the function of the Tap splitting the traffic.
> If i use bond0 with two devices on both Tap-ends everything works...
> So, why wouldn't i do that ?
> I have to observe a redundant ethernet infrastructur. For this
> reason i have to use bond0 to merge Tap A from two Taps. That means
> 2 x 100mbit, wich is a lot of traffic, but it works!  If i try to
> catch the answers at Tap B, i have a bonding interface with 4 x
> 100mbit...  only to be able to make stream assembly work. I think
> thats to high the price.  But let us talk about that opinion: I
> don't need any rules observing the server answers.  Does the
> backwarding traffic stresses snort heavily even without rules ?  I
> think yes : Snort has to examine every packet so i think i would
> have a lot of paket losses, wouldn't i ?


It's your trade off and its dependent on your configuration.  The way
asynchronous_link assembly has to work is just queuing up packets from
remote clients and then pushing them though the detection engine
rather than seeing what packets the server expects to see.

This means that a session running in asynchronous_link mode does not
have the same type of defenses against snot type attacks.

Perfect world:
look at both sides

Other worlds:
choose what works for you in your environment.
-- 
Chris Green <cmg () sourcefire com>
"Yeah, but you're taking the universe out of context."


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users