No subject


Thu Nov 23 16:31:58 EST 2017


What I would like to do is have three nics in a sensor. One for the network
connection the other two being connected directly from the tap to the NIC.s
 
MY question is how do you setup snort to recognized that these two ports are
the same data stream. Is it necessary ?
 
Would like some guidance on this if you have the time...
 
thanks
Paul Powenski


------_=_NextPart_001_01C334D2.8279C220
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DTahoma><SPAN class=3D924240613-17062003></SPAN><FONT size=
=3D2><FONT=20
face=3DArial><FONT color=3D#0000ff>P<SPAN class=3D924240613-17062003>aul, y=
ou asked=20
about TAPs yesterday and got 2 answers (see <A=20
href=3D"http://marc.theaimsgroup.com/?t=3D105576743400003&r=3D1&w=
=3D2">http://marc.theaimsgroup.com/?t=3D105576743400003&r=3D1&w=3D2=
</A>).=20
It is of course necessary to reassemble the 2 splitted data streams from th=
e=20
Taps. This can be achieved as suggested yesterday via linux channel bonding=
 (or=20
the *BSD equivalent), using  a switch with port aggregation and port=20
mirroring, with special equipment like toplayer switches, or as you've=
=20
already tested with  a hub. All have pros and cons. These have also al=
ready=20
been discussed on the snort-users list so give the archives a search=20
;)</SPAN></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DTahoma><FONT size=3D2><FONT face=3DArial><FONT color=3D#0=
000ff><SPAN=20
class=3D924240613-17062003></SPAN></FONT></FONT></FONT></FONT> </DIV>
<DIV><FONT face=3DTahoma><FONT size=3D2><FONT face=3DArial><FONT color=3D#0=
000ff><SPAN=20
class=3D924240613-17062003></SPAN></FONT></FONT></FONT></FONT><FONT=20
face=3DTahoma><SPAN class=3D924240613-17062003><FONT face=3DArial color=3D#=
0000ff=20
size=3D2>HTH,</FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DTahoma><SPAN class=3D924240613-17062003><FONT face=3DAria=
l=20
color=3D#0000ff size=3D2>Sandro</FONT></SPAN></DIV>
<DIV><FONT size=3D2><BR></FONT></DIV></FONT>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px soli=
d; MARGIN-RIGHT: 0px">
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>I have =
setup the=20
  router/switch method of connecting a snort sensor, and I have used the hu=
b=20
  method.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>From my=
=20
  investigations there are some flaws with both of them.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>What I =
would like=20
  to do is have three nics in a sensor. One for the network connection the =
other=20
  two being connected directly from the tap to the NIC.s</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>MY ques=
tion is how=20
  do you setup snort to recognized that these two ports are the same data=20
  stream. Is it necessary ?</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>Would l=
ike some=20
  guidance on this if you have the time...</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2></FONT></SPAN> </DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial=20
  size=3D2>thanks</FONT></SPAN></DIV>
  <DIV><SPAN class=3D451240310-16062003><FONT face=3DArial size=3D2>Paul=20
  Powenski</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C334D2.8279C220--




More information about the Snort-devel mailing list