Re: port bonding and taps
From: Bamm Visscher (bamm_at_satx.rr.com)
Date: 10/02/03
- Previous message: Dpk: "Re: Multiple network segment monitor with Snort"
- In reply to: John Flynn: "port bonding and taps"
- Next in thread: Aaron Cheek: "Re: port bonding and taps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Oct 2003 11:07:48 -0500 To: focus-ids@securityfocus.com
Rich Bejtlich posted [0] how he bonded/mirrored two interfaces into a third using netgraph in FreeBSD.
Bammkkkk
[0] http://marc.theaimsgroup.com/?l=snort-users&m=105585533810122&w=2
On Wed, Oct 01, 2003 at 02:53:34PM -0400, John Flynn wrote:
> Hi all,
>
> I'm trying to set up various snort boxes, both on fiber and copper taps.
> In order to reconstruct both sides of the stream I understand that one
> needs to use multiple cards since the tap outputs the tx and rx on
> separate channels. The problem is that to make snort alert correctly one
> really has to aggregate the directions. This is commonly done using a
> spanning port, but we do not have enough of those at our facility to go
> around. In linux (and in general) it seems this idea is called port
> bonding. There is a bonding kernel module for linux and appropriate
> commands for setting this up (ifenslave etc), but it seems to be very
> poorly documented. I have tried to set up bonding multiple times and
> could not seem to get it to work. Does anyone have good documentation on
> how to do this type of set up, or perhaps a better way to do snort+taps
> without using a spanning port?
> Thanks,
> John Flynn
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
- Previous message: Dpk: "Re: Multiple network segment monitor with Snort"
- In reply to: John Flynn: "port bonding and taps"
- Next in thread: Aaron Cheek: "Re: port bonding and taps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
