RE: Snort IDS + TAPS

kgeorgiades_at_toplayer.com
Date: 11/14/03

  • Next message: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"
    To: eric.hines@appliedwatch.com, focus-ids@securityfocus.com
    Date: Thu, 13 Nov 2003 22:15:45 -0500
    
    

    You can also use the Top Layer IDS Balancer to aggregate traffic from
    multiple taps and deliver the traffic to the Snort sensor.
    www.toplayer.com

    The Top Layer IDSB will put the flows together for you, and will also give
    you the option to filter the traffic before delivering it to the Snort
    sensor.

    Note: I work for Top Layer.

    Kyriacos (Ken) Georgiades
    Senior Director, Product Line Management
    Top Layer Networks, Inc
    Tel: 508 870 1300 x 231
    Cell: 508 783 5988
    Fax: 508 870 9797
    Email: kgeorgiades@toplayer.com
    www.toplayer.com

    -----Original Message-----
    From: Eric Hines [mailto:eric.hines@appliedwatch.com]
    Sent: Wednesday, November 12, 2003 4:24 PM
    To: focus-ids@securityfocus.com
    Cc: snort-users@sourceforge.net
    Subject: Snort IDS + TAPS

    All:

    We are deploying Snort on a two interface appliance, connected to a GigE
    Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
    ports,
    (RX split up between two ports):

    INTERFACE 1 - (from router -> switch) [ ]
    INTERFACE 2 - (from switch -> router) [ ]

    Obviously because the RX is split up between 2 ports, if we bind Snort to
    interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
    Snort
    to inteerface 2, it will only see traffic from SWITCH -> ROUTER. Therefore,
    we
    must bind Snort to both interfaces to see both sides of the session. Here's
    where the problem is. If 2 separate Snort processes are monitoring two
    interfaces, how is the Snort on each interface going to maintain state for
    all
    the connections? Each snort process only sees 1/2 of the connection!

    I've spoken to someone that has said Snort requires modification to listen
    on a
    tapped device because of this very issue. Someone please advise.

    -------------------------------------------
    Eric Hines
    CEO, Chairman
    Applied Watch Technologies, Inc.
    web: http://www.appliedwatch.com
    email: eric.hines@appliedwatch.com
    -------------------------------------------
    Direct: (877) 262-7593 x327 - Toll Free
    Fax: (877) 262-7593
    Main: (877) 262-7593 (9am-5pm CST)
    -------------------------------------------
    "Break free of the IDS Web Browser Prison at
    Applied Watch Technologies"

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: PPowenski_at_oag.com: "RE: Snort IDS + TAPS"

    Relevant Pages

    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • Re: ids inquisition
      ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
      (Focus-IDS)
    • RE: "Free" IDS
      ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
      (Focus-IDS)
    • RE: Test tools for IDS
      ... "Sneeze" is great for Snort IDS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)