RE: Snort IDS + TAPS

[kgeorgiades () toplayer com]

You can also use the Top Layer IDS Balancer to aggregate traffic from
multiple taps and deliver the traffic to the Snort sensor.
www.toplayer.com

The Top Layer IDSB will put the flows together for you, and will also give
you the option to filter the traffic before delivering it to the Snort
sensor.

Note: I work for Top Layer.

Kyriacos (Ken) Georgiades
Senior Director, Product Line Management
Top Layer Networks, Inc
Tel: 508 870 1300 x 231
Cell: 508 783 5988
Fax: 508 870 9797
Email: kgeorgiades () toplayer com
www.toplayer.com


-----Original Message-----
From: Eric Hines [mailto:eric.hines () appliedwatch com]
Sent: Wednesday, November 12, 2003 4:24 PM
To: focus-ids () securityfocus com
Cc: snort-users () sourceforge net
Subject: Snort IDS + TAPS


All:

We are deploying Snort on a two interface appliance, connected to a GigE 
Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
ports, 
(RX split up between two ports):

INTERFACE 1 - (from router -> switch) [ ] 
INTERFACE 2 - (from switch -> router) [ ]

Obviously because the RX is split up between 2 ports, if we bind Snort to 
interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
Snort 
to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore,
we 
must bind Snort to both interfaces to see both sides of the session. Here's 
where the problem is. If 2 separate Snort processes are monitoring two 
interfaces, how is the Snort on each interface going to maintain state for
all 
the connections? Each snort process only sees 1/2 of the connection! 

I've spoken to someone that has said Snort requires modification to listen
on a 
tapped device because of this very issue. Someone please advise.


-------------------------------------------
Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines () appliedwatch com
-------------------------------------------
Direct: (877) 262-7593 x327 - Toll Free
Fax: (877) 262-7593 
Main: (877) 262-7593 (9am-5pm CST)
-------------------------------------------
"Break free of the IDS Web Browser Prison at
Applied Watch Technologies"





---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------