Snort IDS + TAPS

From: Eric Hines (eric.hines_at_appliedwatch.com)
Date: 11/12/03

  • Next message: Chris Reining: "Re: Snort IDS + TAPS" 
    Date: Wed, 12 Nov 2003 13:23:45 -0800
To: focus-ids@securityfocus.com

    All:

    We are deploying Snort on a two interface appliance, connected to a GigE
    Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring ports,
    (RX split up between two ports):

    INTERFACE 1 - (from router -> switch) [ ]
    INTERFACE 2 - (from switch -> router) [ ]

    Obviously because the RX is split up between 2 ports, if we bind Snort to
    interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind Snort
    to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore, we
    must bind Snort to both interfaces to see both sides of the session. Here's
    where the problem is. If 2 separate Snort processes are monitoring two
    interfaces, how is the Snort on each interface going to maintain state for all
    the connections? Each snort process only sees 1/2 of the connection!

    I've spoken to someone that has said Snort requires modification to listen on a
    tapped device because of this very issue. Someone please advise.

    -------------------------------------------
    Eric Hines
    CEO, Chairman
    Applied Watch Technologies, Inc.
    web: http://www.appliedwatch.com
    email: eric.hines@appliedwatch.com
    -------------------------------------------
    Direct: (877) 262-7593 x327 - Toll Free
    Fax: (877) 262-7593
    Main: (877) 262-7593 (9am-5pm CST)
    -------------------------------------------
    "Break free of the IDS Web Browser Prison at
    Applied Watch Technologies"

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------

  • Next message: Chris Reining: "Re: Snort IDS + TAPS"

    Relevant Pages

    • RE: Detecting trojans on random ports with encrypted traffic...
      ... Isn't this similar to what SPADE does in snort? ... >>> Intrusion Detection does not have to rely on signatures ... >>> detect connections from and to ports that you normally ... >>> counting any connections that are normal like virus scanner ...
      (Focus-IDS)
    • Re: Snort IDS + TAPS
      ... the RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run ... Note that when a program such as snort or tcpdump sets the bonded ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • RE: Win32 Snort Question
      ... Basically the gig is that snort doesn't use the tcp/ip stack at all. ... > flow across the interface. ... > I would avoid putting firewall software on the machine as it ...
      (Security-Basics)
    • RE: SNORT config Question
      ... I assume you're using the linux version of snort, if you're connecting ... That the IP address is dynamically assigned on the interface ... Using a Win Modem... ...
      (Security-Basics)
    • RE: Snort IDS + TAPS
      ... Subject: Snort IDS + TAPS ... RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run snort on the ... most highly-anticipated industry event of the year. ... Network with over 10,000 of the brightest minds in information security at ...
      (Focus-IDS)