Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ethernet Tap

From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Fri, 16 Apr 2004 08:27:47 -0700 (PDT)
Sean Lazar wrote:

The reason for a two card setup with a tap is to
physically prevent your IDS from ever transmitting. 

--

Don't forget that a tap preserves the full duplex
nature of a link, unlike a hub.  The two outputs to
the probe on a traditional tap represent the two TX
sides of a full duplex conversation.  That's why
traditional tap outputs feed into two probe NICs.

I say "traditional tap" because the new Net Optics
10/100 Ethernet Port Aggregator Tap is the first
device to offer a RAM-buffered single output.[0]

I don't buy the "buy a switch" argument either.  I did
a cost and feature comparison at my Blog:

http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108103774817736037

===

Jens Altrock wrote:

I'd need a software that reassembles the network
traffic in a way right?

--

Jens,

I just posted on my Blog the method I use to combine
separate physical NIC traffic into a single virtual
NIC:

http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108212869210865161

When you have that single virtual NIC, you can run
Tcpdump or Snort against it without problems.

Good luck,

Richard
http://www.taosecurity.com

[0] See
http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1.
for info on the Net Optics product.


        
                
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: