Snort mailing list archives
eth. sniffing tech. solutions
From: Thomas Zauner <Thomas_Zauner () bayern-mail de>
Date: Mon, 09 Aug 2004 19:10:30 +0200
hello,i got a question about sniffen the 10mbit connectino between a dsl router and a pptp dialin machine running OpenBSD providing internet access for 2 networks.
I an IDS (at ?) to check the traffic.----------- --- ------------------------------------- <switch1> | router |----- |?|------| OpenBSD (pptp) | ----------- --- -----------------------------------<switch2>
_ diffrent solutions for |?| -------------------------------------------------------------------------------------------- -- 1) USING AND EHTERNET TABthere is a "building a passive ehernet tab"-HOWTO on
the snort homepage and it lokks really easy and cheap to build on of these. -------------<TAB>------- | | ___ | |____ | 2 NIC's | |+SNORT| --------------- If i understood it right i need 2 NIC's and bridge them (OpenBSD = bridge0) on my IDS to get full-duplex information. Then have snort run on the bridge.) Does that really work like that. Hmmm.? I found this "bridge 2 NIC'S solution" in another mailing list but i am not convinced OpenBSD bridges do that.(probably a 3rd nic leading to a managment/secure net to controll
the IDS and check the data , but thats not the point so i left it out) 2) JUST PUT A SYSTEM RIGHT IN THE MIDDLE _________________ | OpenBSD+ | -------| SNORT+ |------------------------ | 2NIC+bridge | ------------------------------Why not just use a dedicated system (like 500MHZ+515RAM+4GB HD)
and bride the 2 NICS (NO IP's) and just "listen on one of them.This way if u want to react to an alert you coold tear doen the line easy, and also use a firewal (here pf) to do some additional blocking (maybe temporary).
(also in this solution a 3rd NIC leading to a secure managment net would be used)
3) HUBS not much diffren from the "homemade TAP" solution i guess4) manages SPAN switches cant afford it because there are only 12+ ports out there and they are too $$$
-------------------------------------------------------------------------------------------------- solution 2: only negativ thing is that if the IDS breaks down, so does yout internet conn. But hey same applies probably to your firewall and the router too. solution 4: is very good if you can afford it and if you need it. solution 1/3: well why not just make a TAB yourself. But why then are there so many dicussions out there on how to do it ?CONCLUSION: I HAVE MISSED STH. PLEASE HELP ME. I WOULD LOVE TO RTFM.
thx a lot, thomas
------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- eth. sniffing tech. solutions Thomas Zauner (Aug 09)