Hi all,
I'm trying to set up various snort boxes, both on fiber and copper taps.
In order to reconstruct both sides of the stream I understand that one
needs to use multiple cards since the tap outputs the tx and rx on
separate channels. The problem is that to make snort alert correctly one
really has to aggregate the directions. This is commonly done using a
spanning port, but we do not have enough of those at our facility to go
around. In linux (and in general) it seems this idea is called port
bonding. There is a bonding kernel module for linux and appropriate
commands for setting this up (ifenslave etc), but it seems to be very
poorly documented. I have tried to set up bonding multiple times and
could not seem to get it to work. Does anyone have good documentation on
how to do this type of set up, or perhaps a better way to do snort+taps
without using a spanning port?
Thanks,
John Flynn
--
http://www.fastmail.fm - Accessible with your email software
or over the web
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003
Intro
