Snort mailing list archives

eth. sniffing tech. solutions

From: Thomas Zauner <Thomas_Zauner () bayern-mail de>
Date: Mon, 09 Aug 2004 19:10:30 +0200

hello,

i got a question about sniffen the 10mbit connectino between a dslrouter and a pptp dialin machine running OpenBSD providing internetaccess for 2 networks.

I an  IDS   (at ?) to check the traffic.

----------- --- -------------------------------------<switch1>| router |----- |?|------| OpenBSD (pptp) |----------- --- -----------------------------------<switch2>


                                    _
diffrent solutions for |?|

--------------------------------------------------------------------------------------------
                                    --
1) USING AND EHTERNET TAB

there is a "building a passive ehernet tab"-HOWTO on

   the snort homepage and it lokks really easy and cheap
   to build on of these.

   -------------<TAB>-------
                    | |
              ___ | |____
             | 2 NIC's  |
             |+SNORT|
              ---------------
   If i understood it right i need 2 NIC's and bridge them
   (OpenBSD = bridge0) on my IDS to get full-duplex information.
   Then have snort run on the bridge.)
   Does that really work like that. Hmmm.?
   I found this "bridge 2 NIC'S solution" in another  mailing list
    but i am not convinced OpenBSD bridges do that.

(probably a 3rd nic leading to a managment/secure net to controll

   the IDS and check the data , but thats not the point so i left it out)

2)  JUST PUT A SYSTEM RIGHT IN THE MIDDLE
       _________________
      |   OpenBSD+      |
-------|   SNORT+          |------------------------
      |   2NIC+bridge   |
      ------------------------------

Why not just use a dedicated system (like 500MHZ+515RAM+4GB HD)

    and bride the 2 NICS (NO IP's)   and just "listen on one of them.

This way if u want to react to an alert you coold tear doen theline easy,and also use a firewal (here pf) to do some additional blocking(maybe temporary).

(also in this solution a 3rd NIC leading to a secure managment netwould be used)


3) HUBS
      not much diffren from the "homemade TAP" solution i guess

4) manages SPAN switchescant afford it because there are only 12+ ports out there and theyare too $$$




--------------------------------------------------------------------------------------------------
solution 2:
                   only negativ thing is that if the IDS breaks down,
                   so does yout internet conn. But hey same applies
                  probably to your firewall and the router too.
solution 4:
                    is very good if you can afford it and if you need it.
solution 1/3:
                    well why not just make a TAB yourself.

But why then are there so many dicussions out there on how to do it ?

CONCLUSION: I HAVE MISSED STH. PLEASE HELP ME. I WOULD LOVE TO RTFM.



thx a lot,
thomas




-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

eth. sniffing tech. solutions Thomas Zauner (Aug 09)