RE: Snort IDS + TAPS

kgeorgiades_at_toplayer.com
Date: 11/14/03

  • Next message: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"
    To: eric.hines@appliedwatch.com, focus-ids@securityfocus.com
    Date: Thu, 13 Nov 2003 22:15:45 -0500
    
    

    You can also use the Top Layer IDS Balancer to aggregate traffic from
    multiple taps and deliver the traffic to the Snort sensor.
    www.toplayer.com

    The Top Layer IDSB will put the flows together for you, and will also give
    you the option to filter the traffic before delivering it to the Snort
    sensor.

    Note: I work for Top Layer.

    Kyriacos (Ken) Georgiades
    Senior Director, Product Line Management
    Top Layer Networks, Inc
    Tel: 508 870 1300 x 231
    Cell: 508 783 5988
    Fax: 508 870 9797
    Email: kgeorgiades@toplayer.com
    www.toplayer.com

    -----Original Message-----
    From: Eric Hines [mailto:eric.hines@appliedwatch.com]
    Sent: Wednesday, November 12, 2003 4:24 PM
    To: focus-ids@securityfocus.com
    Cc: snort-users@sourceforge.net
    Subject: Snort IDS + TAPS

    All:

    We are deploying Snort on a two interface appliance, connected to a GigE
    Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
    ports,
    (RX split up between two ports):

    INTERFACE 1 - (from router -> switch) [ ]
    INTERFACE 2 - (from switch -> router) [ ]

    Obviously because the RX is split up between 2 ports, if we bind Snort to
    interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
    Snort
    to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore,
    we
    must bind Snort to both interfaces to see both sides of the session. Here's
    where the problem is. If 2 separate Snort processes are monitoring two
    interfaces, how is the Snort on each interface going to maintain state for
    all
    the connections? Each snort process only sees 1/2 of the connection!

    I've spoken to someone that has said Snort requires modification to listen
    on a
    tapped device because of this very issue. Someone please advise.

    -------------------------------------------
    Eric Hines
    CEO, Chairman
    Applied Watch Technologies, Inc.
    web: http://www.appliedwatch.com
    email: eric.hines@appliedwatch.com
    -------------------------------------------
    Direct: (877) 262-7593 x327 - Toll Free
    Fax: (877) 262-7593
    Main: (877) 262-7593 (9am-5pm CST)
    -------------------------------------------
    "Break free of the IDS Web Browser Prison at
    Applied Watch Technologies"

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"