Re: snort behind TAP & asynchronous_link

["Ian Macdonald" <secsnort () dirk demon co uk>]

I think the problem is that you are only seeing one side of the
conversation. Copper taps generally split the taped data into send and
receive wires, So Tap A is one direction of the traffic and Tap B is the
other.

You can feed tap A and tap B into a switch that has port monitoring
capabilities so you can recombine the traffic from Tap A and Tap B into a
single cable. Or you can use a computer with 2 nic cards and perform channel
bonding between the nic cards.

Hope this helps

Ian


----- Original Message -----
From: <Holger.Woehle () arcor net>
To: <snort-users () lists sourceforge net>
Sent: Thursday, August 15, 2002 6:02 AM
Subject: [Snort-users] snort behind TAP & asynchronous_link


> Hello,
> i always still hang on the problem running snort behind a shomiti ethernet
TAP.
> That is my network:
>
>
>
>              +---+     +---+           +---+
>              | S |     | R |           | S |
>    +-----+   | W |     | O |           | W |   +-------+
>    |     |   | I |     | U |   +---+   | I |   |       |
>    |  A  |===| T |=====| T |===|TAP|===| T |===| httpd |
>    |     |   | C |     | E |   +---+   | C |   |       |
>    +-----+   | H |     | R |     |     | H |   +-------+
>              | 1 |     |   |     |     | 2 |
>              +---+     +---+     |     +---+
>                                  |
>                               +-------+
>                               | SNORT |
>                               +-------+
>
> The TAP sits between the Router and Switch2.
> Lower surface of the TAP:
>
>                       +--------------------+
>                       |    Century TAP     |
>    >from Router=======A                    B===============> to SWITCH 2
>                       |                    |
>      <to SNORT========Tap A            Tap B
>                       |                    |
>                       +--------------------Power-----
>
> I am using Snort 1.9.0beta4 and the default snort.conf with one change:
> preprozessor stream4: detect_scans, disable_evasion_alerts,
asynchronous_link
> if a append keepstates i understand that snort logs some infos about
states into
> /var/log/snort,
> but there does not appear something like state.log ?
>
> Snort does not recognize the alerts with the flow:to_server,established
> attributes.
> I seems to me, that snort does not reassemble the stream.
> If i delete the established attribute snort recognises the alert.
> But then i run into my other problem (please see thread: snort seas no
> fragmented error).
>
> with regards
> Holger
>
>
>
>
>
>
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users