Snort mailing list archives
Re: Understanding IDS & TAPS
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 18 Dec 2002 18:29:02 -0500
This diagram is actually a "pretty advanced" setup. This is by far not the only way to set up a tap for snort, but is a good way to make a "receive only" that handles very high traffic loads. ie: if you need to tap a heavily used 100mbit link, this is a good way to do it.
It will not work for "just any" switch, it must be a switch with a spanning port or that can be configured so that one of it's ports is a spanning port. The spanning port gets ALL traffic that comes in on ALL ports, by definition (if it did not, it would not be a spanning port). This feature is generally seen in rack-mount switches for business use. It's not commonly seen in inexpensive 16-port switches sold at best buy.
As far as I can tell in this diagram the primary purpose of the switch is to act as a packet buffer and to collate traffic from both directions as receive data without introducing delay to the data going by on the wire.
At 12:00 PM 12/18/2002 -0500, Carleton, Sam (SCI TW) wrote:
Folks, I understand the IDS and TAPS, but not completely. The main thing is the physical hookup of the TAP to the IDS. I don't understand the "100Mb IDS Tapping Diagram (with only 100bt span port)" diagram. The switch being used, can it be any old switch or does it have to be something that is programmable? What I don't understand is how the traffic gets through the switch. How does the switch know where to send the packets which are coming in from the Port A and Port B? Sam ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- Re: Understanding IDS & TAPS twig les (Dec 18)
- <Possible follow-ups>
- RE: Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- RE: Understanding IDS & TAPS Nigel Clarke (Dec 19)
- RE: Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- Re: Understanding IDS & TAPS Matt Kettler (Dec 18)