RE: Snort IDS + TAPS

PPowenski_at_oag.com
Date: 11/14/03

  • Next message: Mark Teicher: "Re: SOHO Hardware IDS"
    To: creining@packetfu.org, eric.hines@appliedwatch.com
    Date: Fri, 14 Nov 2003 09:05:21 -0000
    
    

    am using this method myself and it works well.

    -----Original Message-----
    From: Chris Reining [mailto:creining@packetfu.org]
    Sent: 13 November 2003 16:23
    To: Eric Hines
    Cc: focus-ids@securityfocus.com; snort-users@sourceforge.net
    Subject: Re: Snort IDS + TAPS

    Eric,
    I would recommend using channel bonding module under linux to aggregate the
    RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run snort on the
    bonded interface.

    I use it like so to bond eth0 and eth1 together to interface bond0:

    /etc/modules.conf:
    alias bond0 bonding
    options bond0 miimon=100 downdelay=0

    /etc/sysconfig/network-scripts/ifcfg-bond0:
    DEVICE=bond0
    USERCTL=no
    ONBOOT=yes

    /etc/sysconfig/network-scripts/ifcfg-{eth0,eth1}:
    DEVICE=eth0
    USERCTL=no
    ONBOOT=yes
    MASTER=bond0
    SLAVE=yes

    Note that when a program such as snort or tcpdump sets the bonded interface
    in PROMISC mode it will be propagated down to the trunks.

    Also see bonding.txt doc.

    Hope this helps,
    Chris

    On Wed, Nov 12, 2003 at 01:23:45PM -0800, Eric Hines wrote:
    > All:
    >
    > We are deploying Snort on a two interface appliance, connected to a
    > GigE
    > Netoptics Ethernet TAP. By design, TAPs are split up into (2) monitoring
    ports,
    > (RX split up between two ports):
    >
    > INTERFACE 1 - (from router -> switch) [ ]
    > INTERFACE 2 - (from switch -> router) [ ]
    >
    > Obviously because the RX is split up between 2 ports, if we bind Snort
    > to
    > interface 1, it will only see traffic from ROUTER -> SWITCH. If we bind
    Snort
    > to inteerface 2, it will only see traffic from SWITCH -> ROUTER.
    Therefore, we
    > must bind Snort to both interfaces to see both sides of the session.
    Here's
    > where the problem is. If 2 separate Snort processes are monitoring two
    > interfaces, how is the Snort on each interface going to maintain state for
    all
    > the connections? Each snort process only sees 1/2 of the connection!
    >
    > I've spoken to someone that has said Snort requires modification to
    > listen on a
    > tapped device because of this very issue. Someone please advise.
    >
    >
    > -------------------------------------------
    > Eric Hines
    > CEO, Chairman
    > Applied Watch Technologies, Inc.
    > web: http://www.appliedwatch.com
    > email: eric.hines@appliedwatch.com
    > -------------------------------------------
    > Direct: (877) 262-7593 x327 - Toll Free
    > Fax: (877) 262-7593
    > Main: (877) 262-7593 (9am-5pm CST)
    > -------------------------------------------
    > "Break free of the IDS Web Browser Prison at
    > Applied Watch Technologies"
    >
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > -----
    > Network with over 10,000 of the brightest minds in information security
    > at the largest, most highly-anticipated industry event of the year.
    > Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    > see demos from more than 250 industry vendors. If your job touches
    > security, you need to be here. Learn more or register at
    > http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    > and use priority code SF4.
    >
    ---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security at
    the largest, most highly-anticipated industry event of the year. Don't miss
    RSA Conference 2004! Choose from over 200 class sessions and see demos from
    more than 250 industry vendors. If your job touches security, you need to be
    here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Mark Teicher: "Re: SOHO Hardware IDS"

    Relevant Pages

    • Re: Snort IDS + TAPS
      ... the RX and TX streams from your INTERFACE 1 and INTERFACE 2 and run ... Note that when a program such as snort or tcpdump sets the bonded ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • RE: Win32 Snort Question
      ... Basically the gig is that snort doesn't use the tcp/ip stack at all. ... > flow across the interface. ... > I would avoid putting firewall software on the machine as it ...
      (Security-Basics)
    • Re: Announcement: Alert Verification for Snort
      ... >If Snort or any IDS reports an alert with CVE number, ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • RE: SNORT config Question
      ... I assume you're using the linux version of snort, if you're connecting ... That the IP address is dynamically assigned on the interface ... Using a Win Modem... ...
      (Security-Basics)
    • Snort IDS + TAPS
      ... We are deploying Snort on a two interface appliance, ... By design, TAPs are split up into monitoring ports, ... the connections? ...
      (Focus-IDS)