Rich Bejtlich posted [0] how he bonded/mirrored two interfaces into a third using netgraph in FreeBSD.
Bammkkkk
[0] http://marc.theaimsgroup.com/?l=snort-users&m=105585533810122&w=2
On Wed, Oct 01, 2003 at 02:53:34PM -0400, John Flynn wrote:
> Hi all,
>
> I'm trying to set up various snort boxes, both on fiber and copper taps.
> In order to reconstruct both sides of the stream I understand that one
> needs to use multiple cards since the tap outputs the tx and rx on
> separate channels. The problem is that to make snort alert correctly one
> really has to aggregate the directions. This is commonly done using a
> spanning port, but we do not have enough of those at our facility to go
> around. In linux (and in general) it seems this idea is called port
> bonding. There is a bonding kernel module for linux and appropriate
> commands for setting this up (ifenslave etc), but it seems to be very
> poorly documented. I have tried to set up bonding multiple times and
> could not seem to get it to work. Does anyone have good documentation on
> how to do this type of set up, or perhaps a better way to do snort+taps
> without using a spanning port?
> Thanks,
> John Flynn
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003
Intro
