[Snort-users] Asynchronous routing

Eric Hacker hacker at ...251...
Sun Aug 6 15:00:23 EDT 2000


Your buddy does not mention the bandwidth that needs to be
monitored. Let's assume that it is not 100 meg since we know Snort
would not be able to handle 200 meg traffic. One can take multiple
10 meg feeds from different networks and use a switch to pipe them
into a 100 meg interface on an IDS.

Network Security Wizards has a paper on this technique by Jimmy
Alderson in a private area. I could not find a public version of
this document in a very quick search.

I haven't built this type of system yet, but will be doing so and
testing it in the next few weeks. If one wants to have a single
IDS monitoring both inbound and outbound traffic, this is a
possible solution.

The big issue your buddy presents is state, which, AFAIK, no IDS
can currently maintain. Thus there is no Snort signature that
goes, If A -> B (conditions) and If B -> A (conditions) then alert
or something logically similar.

Perhaps Dr. Cramer's TCP stream reassembly could allow such a
feature set, but the rule definition process would also have to be

Eric Hacker                                  hacker at ...251...

Hacker is my real name. Please, no flames, no props...
Just deal with it.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Lance
Sent: Saturday, August 05, 2000 3:27 PM
To: Snort-Users (E-mail)
Subject: [Snort-users] Asynchronous routing

Routing buddy of mine wanted to know the following about

--- snip snip ---

Our particular network configuration leads to asynchronous
we could in theory do synchronous detection with a sniffer, that
has two input interfaces, one from each core switch. The sniffer
would have to be able to watch both sides of a conversation on
different interfaces.

As far as we know, no commercial sniffer is capable of this at
this time.
However, we beleive that it is technically feasable. Of course one
have to keep track of the state of every connection.

Are any of the IDS signatures snort uses reliant upon seeing both
sides of the
conversation ? I assume that some are. Could we add a second input
to the
packet engine so that it appears as one stream of data from two
interfaces ?

--- snip snip ----



Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list