Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ethernet Tap

From: Craig Paterson <craigp () tippett com>
Date: Fri, 13 Aug 2004 11:56:01 -0700
Frank Knobbe wrote:


On Fri, 2004-08-13 at 13:31, STEVE MAKOUSKY wrote:

If not is it easy enough to start snort on two nics and log to the
same database and handle packet reconstruction that way???? 

Uhm... no. Who would be doing the reconstruction? Snort isn't, the
database isn't.

Sorry, if you want to sniff a single data stream on two NICS
(split-tap), you would need to configure these NICs in bridge-mode, or
somehow else have the OS treat both NICs as a single NIC.
Though you (well, Steve anyway) might be able to have his OS do the recombination for him. I'm not sure how easy/feasible it is on other platforms, but we use half-duplex NICs combined into a single full-duplex virtual device using Linux channel bonding. Snort runs against the bonded device, and sees a full-duplex stream. 

Craig.


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: