RE: Passive Tap Help

[Frank Knobbe <frank () knobbe us>]

On Mon, 2003-12-01 at 10:58, Lists wrote:
> It may be worth replacing the "switch/spanned port" section with a
> second "sniffing interface" to the sensor.  i.e.  One interface sniffs
> incomming, the other sniffs outgoing.
>
> I haven't tried this but I expect it could resolve the collision issue
> mentioned above. Also, a second NIC would most likely be cheaper and
> easier to find than a switch that can be configured as required.
>
> Would anyone with more snort experience care to comment on this? i.e.
> Does this break any of the preprocessors?  What impact would it have on
> performance?

Yup, that's been advertised as a solution. I like to see some comments
from folks using it as well.

But you need to be clearer on the second interface solution. It is
possible to use a second NIC and have two pcaps running and the IDS
reassembling the data itself. Or you can have two NICs set up as a
bonded/joined interface where the OS does the reassembling and a single
instance of pcap and IDS runs over the traffic.

My guess on performance is that 1) produces an unneeded overhead that
can be save with 2). Since there is only a single instance of pcap/IDS,
it shouldn't impact performance at all.

Later,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part