Snort mailing list archives
Re: Ethernet Tap
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Fri, 16 Apr 2004 08:27:47 -0700 (PDT)
Sean Lazar wrote: The reason for a two card setup with a tap is to physically prevent your IDS from ever transmitting. -- Don't forget that a tap preserves the full duplex nature of a link, unlike a hub. The two outputs to the probe on a traditional tap represent the two TX sides of a full duplex conversation. That's why traditional tap outputs feed into two probe NICs. I say "traditional tap" because the new Net Optics 10/100 Ethernet Port Aggregator Tap is the first device to offer a RAM-buffered single output.[0] I don't buy the "buy a switch" argument either. I did a cost and feature comparison at my Blog: http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108103774817736037 === Jens Altrock wrote: I'd need a software that reassembles the network traffic in a way right? -- Jens, I just posted on my Blog the method I use to combine separate physical NIC traffic into a single virtual NIC: http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108212869210865161 When you have that single virtual NIC, you can run Tcpdump or Snort against it without problems. Good luck, Richard http://www.taosecurity.com [0] See http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1. for info on the Net Optics product. __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ethernet Tap Altrock, Jens (Apr 15)
- Re: Ethernet Tap Matt Kettler (Apr 15)
- Re: Ethernet Tap Sean Lazar (Apr 15)
- <Possible follow-ups>
- Re: Ethernet Tap Richard Bejtlich (Apr 16)