Snort mailing list archives

Re: Span Port to Fiber Tap Problems

From: Jeff Nathan <jeff () snort org>
Date: Fri, 24 Oct 2003 12:34:13 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This shows a load balancer, but you still get the idea of needing tobond two interfaces together as you mention below.

A Tap, be it fiber or copper splits out the transmit pair to a uniqueport. Taps must have their output recombined in one way or another.


Take a look at:

http://www.snort.org/docs/Gb_tapping.pdf

- -Jeff

On Thursday, October 23, 2003, at 01:28 PM, Dusty Hall wrote:


  We figured out the problem... We previously thought that we only

needed one fiber NIC in our Snort system but it turns out we overlooked

that the tap turns the traffic into two Rx streams, this means we would

have to use two fiber NIC's (because you can only have on Rx channelper

NIC).  After reading some old posts on Bonding we combined two NIC's
into bond0 which Snort is able to use.  Everything seems to be working
like a champ at the moment.

  Is there any disadvantage to the way we have ours setup to the way
Vjay suggests?

-Dusty

-----
Dusty Hall
Network Security Specialist
Auburn University

"larosa, vjay" <larosa_vjay () emc com> 10/21/2003 11:30:40 PM >>>

Mike I tried to reply directly but mail to you is bouncing, hopefully
you
and some other people on the list will find this diagram helpful. I
whipped
it up quick, hope it isn't to confusing.

vjl

-----Original Message-----
From: larosa, vjay
Sent: Wednesday, October 22, 2003 12:25 AM
To: 'kudzu () tenebras com'
Subject: FW: [Snort-users] Span Port to Fiber Tap Problems


Okay, see if this makes sense to you. If not maybe we should talk on
the
phone.


vjl



-----Original Message-----
From: Michael Sierchio [mailto:kudzu () tenebras com]
Sent: Tuesday, October 21, 2003 11:06 PM
To: larosa, vjay
Subject: Re: [Snort-users] Span Port to Fiber Tap Problems

larosa, vjay wrote:

Your fiber tap has a send and receive in one cable now. You need to

split

the cable, plug half of each side in to a small switch (Cisco 3500 XL

8
port

gig with auto negotiation turned off) then span the two ports back in

to
one

port where you plug in your snort sensor. The Gigabit line you have

snort

plugged in now is only presenting half of the conversation to snort

so

stream4 is not allowing the packets to be processed because it is

only

seeing half of the conversation. Let me know if you need more help, I

have

this setup in several places.


vjay -

I for one do wish you'd expand a bit (got any diagrams or photos?).
I've
done copper taps, but never fiber taps, so am concerned about doing it
right and getting all the packets.

Thanks,

Michael



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Problems cannot be solved at the same level of awareness that
created them."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/mVSIEqr8+Gkj0/0RAiM0AJ9BEqChJyP3fx4qQC+BfZ8mnKL15ACfTtyU
K3D71dQLx5JFyz8/9BPq40E=
=ksCX
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Span Port to Fiber Tap Problems Dusty Hall (Oct 20)
- <Possible follow-ups>
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 20)
- Re: Span Port to Fiber Tap Problems Shawn Truax (Oct 23)
- RE: Span Port to Fiber Tap Problems larosa, vjay (Oct 23)
- RE: Span Port to Fiber Tap Problems Dusty Hall (Oct 23)
  - Re: Span Port to Fiber Tap Problems Jeff Nathan (Oct 25)