Snort mailing list archives

Previous By Date Next
Previous By Thread Next

passive tap

From: christian graf <chr.graf () gmx de>
Date: 02 Dec 2003 10:32:35 +0100
Hi,

my experiences with another IDS than snort are the following:
1) the easiest solution is mirroring the e.g. 100Mbit link to a 1Gig
link. Having this you are avoiding oversubscritpion and you do not have
to change anything on your IDS. Thats independant from the usage of any
taps. You don't need them in this scenario.
2) The worst is like other said, having two instances of SNORT/libpcap
running. Huge overhead, poor performance and the loss of any
stateful-capabilities / preprocessors. That will not satisfy anybody.
3) the bridging solution
I tried this and the results a really bad. Bridging produces overhead
and more important, as the your SNORT-device is acting like a bridge,
you have to DISABLE the forwarding on your "snort-bridging-device". If
not, all packets may be seen on both interfaces and therefore you get
all alerts twice. I wouldn't take it.
4) the bonding
yes, the bonding was a real nice success. Just enable the
bonding-interface and you get what you want. You can use 2 nics, having
the tapped rx and tx streams recombined in the bonding-interface and you
need only one instance of snort running. I have never thought if packets
may be disordered when using a bonding-interface. This could be a
potential problem when thinking about statefulness and the
preprocessors. But maybe anybody in this list could clarify this.
regarding this limitation, point (1) is the most safe unless your
switch/router is powerful enough in his mirroring capabilities.


hope this helps

christian




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: