Re: Stealth sensor on SPAN port w/o tap

[Erek Adams <erek () theadamsfamily net>]

On Sun, 10 Nov 2002, Robert MacKinnon wrote:

> Is it possible to have three Ethernet interfaces in a snort sensor; one
> interface connected to a management network for sensor control and
> reporting and the other two sensors connected into seperate switches
> configured in a high availability mode?  ASCII art follows:

[...snip...]

Sure is.  In fact, it's a fairly common thing.


> The etherchannel connects the switches together in a HA arrangement.  The
> snort sensors would be connected to SPAN ports monitoring local ports on
> each switch (10/100 baseT speeds).  STP would block nonactive ports so only
> one sensor at a time would be receiving data.  The interfaces would be
> stealthy.
>
> My question arrises because I'm not sure if I would have to
> -  configure two instances of snort on the same machine and give each
> sensor an ID in ACID.
> or
> - configure one instance of snort with multiple -i flag options.

Option 2 wouldn't work as Snort only uses one -i flag.

Option 3:  Use a Linux kernel 2.1.x/2.2.x+ and use the "-i any" option
[0].

Option 4:  Use a *BSD and bonding to combine both physical interfaces into
one logical one that you can sniff.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

[0]     http://www.snort.org/docs/faq.html#3.4




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users