Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort and network taps

From: counter.spy () gmx de
Date: Tue, 23 Apr 2002 13:23:39 +0200 (MEST)
Hi all,

I've got a question about using Snort with network taps, but this 
question could be relevant for any other NIDS as well:

I have decided to use network taps in order to monitor switchports.
Those taps have the advantage of being read-only and making switch
port mirroring unessessary. Also full duplex monitoring is guaranteed this
way.
When using such network taps, you need two sniffing interfaces, one for
each tap port, i.e. one for each direction of communication.

Now there are three different possibilities in order to run snort
with this setup:

1.) running snort on any interface, which I would not prefer, because I
don't want to monitor the interface to the MySQL database, which is 
located in a separate, secured segment.

2.) using channel bonding in order to logically merge datastreams of both 
sniffing interfaces and let snort sniff on the virtual interface, 
which is a practice I have not tested, yet.

3.) running one snort process on each sniffing interface

Although I have heard, that the second variant works pretty good,
I would prefer the third method, since I suppose channel bonding is not
available for all operating systems and the third variant is better in
performance.

But now comes the real question:

Wouldn't I lose the stateful inspection capability of snort when
using the third method?
Each snort process only sees one direction of each connection,
so it cannot know if a connection has been properly established or
not.
It seems to me that this is a problem that most NIDS should encounter
when running on tap ports, right?

What would you recommend me to do, in order not to loose stateful
analysis capabilities?

Thanks for any pointers, hints and suggestions.

Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: