RE: Snort IDS + TAPS

PPowenski_at_oag.com
Date: 11/14/03

Next message: Mark Teicher: "Re: SOHO Hardware IDS"

Previous message: kgeorgiades_at_toplayer.com: "RE: Snort IDS + TAPS"
Maybe in reply to: Eric Hines: "Snort IDS + TAPS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: creining@packetfu.org, eric.hines@appliedwatch.com
Date: Fri, 14 Nov 2003 09:05:21 -0000

am using this method myself and it works well.

-----Original Message-----
From: Chris Reining [mailto:creining@packetfu.org]
Sent: 13 November 2003 16:23
To: Eric Hines
Cc: focus-ids@securityfocus.com; snort-users@sourceforge.net
Subject: Re: Snort IDS + TAPS

Eric,
I would recommend using channel bonding module under linux to aggregate the
RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run snort on the
bonded interface.

I use it like so to bond eth0 and eth1 together to interface bond0:

/etc/modules.conf:
alias bond0 bonding
options bond0 miimon=100 downdelay=0

/etc/sysconfig/network-scripts/ifcfg-bond0:
DEVICE=bond0
USERCTL=no
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-{eth0,eth1}:
DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Note that when a program such as snort or tcpdump sets the bonded interface
in PROMISC mode it will be propagated down to the trunks.

Also see bonding.txt doc.

Hope this helps,
Chris

On Wed, Nov 12, 2003 at 01:23:45PM -0800, Eric Hines wrote:
> All:
>
> We are deploying Snort on a two interface appliance, connected to a
> GigE
> Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
ports,
> (RX split up between two ports):
>
> INTERFACE 1 - (from router -> switch) [ ]
> INTERFACE 2 - (from switch -> router) [ ]
>
> Obviously because the RX is split up between 2 ports, if we bind Snort
> to
> interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
Snort
> to inteerface 2, it will only see traffic from SWITCH -> ROUTER.
Therefore, we
> must bind Snort to both interfaces to see both sides of the session.
Here's
> where the problem is. If 2 separate Snort processes are monitoring two
> interfaces, how is the Snort on each interface going to maintain state for
all
> the connections? Each snort process only sees 1/2 of the connection!
>
> I've spoken to someone that has said Snort requires modification to
> listen on a
> tapped device because of this very issue. Someone please advise.
>
>
> -------------------------------------------
> Eric Hines
> CEO, Chairman
> Applied Watch Technologies, Inc.
> web: http://www.appliedwatch.com
> email: eric.hines@appliedwatch.com
> -------------------------------------------
> Direct: (877) 262-7593 x327 - Toll Free
> Fax: (877) 262-7593
> Main: (877) 262-7593 (9am-5pm CST)
> -------------------------------------------
> "Break free of the IDS Web Browser Prison at
> Applied Watch Technologies"
>
>
>
>
>
> ----------------------------------------------------------------------
> -----
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
> and use priority code SF4.
>
---------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't miss
RSA Conference 2004! Choose from over 200 class sessions and see demos from
more than 250 industry vendors. If your job touches security, you need to be
here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
and use priority code SF4.
---------------------------------------------------------------------------

Next message: Mark Teicher: "Re: SOHO Hardware IDS"

Previous message: kgeorgiades_at_toplayer.com: "RE: Snort IDS + TAPS"
Maybe in reply to: Eric Hines: "Snort IDS + TAPS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Snort IDS + TAPS
... the RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run ... Note that when a program such as snort or tcpdump sets the bonded ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Focus-IDS)
RE: Win32 Snort Question
... Basically the gig is that snort doesn't use the tcp/ip stack at all. ... > flow across the interface. ... > I would avoid putting firewall software on the machine as it ...
(Security-Basics)
Re: Announcement: Alert Verification for Snort
... >If Snort or any IDS reports an alert with CVE number, ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Focus-IDS)
RE: SNORT config Question
... I assume you're using the linux version of snort, if you're connecting ... That the IP address is dynamically assigned on the interface ... Using a Win Modem... ...
(Security-Basics)
Snort IDS + TAPS
... We are deploying Snort on a two interface appliance, ... By design, TAPs are split up into monitoring ports, ... the connections? ...
(Focus-IDS)