RE: Snort IDS + TAPS
kgeorgiades_at_toplayer.com
Date: 11/14/03
- Previous message: Martin Roesch: "Re: Cisco CTR"
- Maybe in reply to: Eric Hines: "Snort IDS + TAPS"
- Next in thread: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: eric.hines@appliedwatch.com, focus-ids@securityfocus.com Date: Thu, 13 Nov 2003 22:15:45 -0500
You can also use the Top Layer IDS Balancer to aggregate traffic from
multiple taps and deliver the traffic to the Snort sensor.
www.toplayer.com
The Top Layer IDSB will put the flows together for you, and will also give
you the option to filter the traffic before delivering it to the Snort
sensor.
Note: I work for Top Layer.
Kyriacos (Ken) Georgiades
Senior Director, Product Line Management
Top Layer Networks, Inc
Tel: 508 870 1300 x 231
Cell: 508 783 5988
Fax: 508 870 9797
Email: kgeorgiades@toplayer.com
www.toplayer.com
-----Original Message-----
From: Eric Hines [mailto:eric.hines@appliedwatch.com]
Sent: Wednesday, November 12, 2003 4:24 PM
To: focus-ids@securityfocus.com
Cc: snort-users@sourceforge.net
Subject: Snort IDS + TAPS
All:
We are deploying Snort on a two interface appliance, connected to a GigE
Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
ports,
(RX split up between two ports):
INTERFACE 1 - (from router -> switch) [ ]
INTERFACE 2 - (from switch -> router) [ ]
Obviously because the RX is split up between 2 ports, if we bind Snort to
interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
Snort
to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore,
we
must bind Snort to both interfaces to see both sides of the session. Here's
where the problem is. If 2 separate Snort processes are monitoring two
interfaces, how is the Snort on each interface going to maintain state for
all
the connections? Each snort process only sees 1/2 of the connection!
I've spoken to someone that has said Snort requires modification to listen
on a
tapped device because of this very issue. Someone please advise.
-------------------------------------------
Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines@appliedwatch.com
-------------------------------------------
Direct: (877) 262-7593 x327 - Toll Free
Fax: (877) 262-7593
Main: (877) 262-7593 (9am-5pm CST)
-------------------------------------------
"Break free of the IDS Web Browser Prison at
Applied Watch Technologies"
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Martin Roesch: "Re: Cisco CTR"
- Maybe in reply to: Eric Hines: "Snort IDS + TAPS"
- Next in thread: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
