RE: Passive Tap Help

[Dirk Geschke <Dirk () geschke-online de>]

Hi all,

> > It may be worth replacing the "switch/spanned port" section with a
> > second "sniffing interface" to the sensor.  i.e.  One interface sniffs
> > incomming, the other sniffs outgoing.
 
[...]

> Yup, that's been advertised as a solution. I like to see some comments
> from folks using it as well.
>
> But you need to be clearer on the second interface solution. It is
> possible to use a second NIC and have two pcaps running and the IDS
> reassembling the data itself. Or you can have two NICs set up as a
> bonded/joined interface where the OS does the reassembling and a single
> instance of pcap and IDS runs over the traffic.
>
> My guess on performance is that 1) produces an unneeded overhead that
> can be save with 2). Since there is only a single instance of pcap/IDS,
> it shouldn't impact performance at all.

There is one important thing you should not oversee. With two separate
instances of snort and therefore two instances of pcap you won't be
able to use the stream4 preprocessor and especially the "established"
feature. But this is one of the most important feature. Otherwise you
can feed the one snort processes which as many false postivie alerts
as you like. For example the "fpg" program (this is part of FLoP) is
able to generate such network packets on a very high rate. The limit 
is given by your network...

Best regards

Dirk 



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users