[Snort-users] Asynchronous routing

Dragos Ruiu dr at ...50...
Sun Aug 6 15:44:53 EDT 2000

On Sat, 05 Aug 2000, Lance Spitzner wrote:
> Routing buddy of mine wanted to know the following about
> snort.
> --- snip snip ---
> Our particular network configuration leads to asynchronous routing,
> we could in theory do synchronous detection with a sniffer, that 
> has two input interfaces, one from each core switch. The sniffer
> would have to be able to watch both sides of a conversation on
> different interfaces.

Semantic quibbling, but....You may be using the wrong terms here.
Synchronous means that data appears only when synchronized to 
some time base... I.e. the bits on a T1 line are synchronous at a
rate of 1.544 Mbps.  Asynchronous means that the data can 
show up at any time, like the IP packets traveling superimposed
on those synchronized T1 1.544 Mbps bitstream.  The asynchronous
arrival of data in the synchronous 53 byte cell in ATM is
where the name Asynchronous Transfer Mode comes from.

Reading from your question you probably mean full and half duplex
methinks.... Anyway...

> As far as we know, no commercial sniffer is capable of this at this time.
> However, we beleive that it is technically feasable. Of course one would
> have to keep track of the state of every connection.
There are commercial multiport sniffers, but they tend to be the expensive
hw device variety.  Probably the most famous of these (because for a long
time it was the only commercial multiport ethernet sniffer) is the
Wandel&Goltermann DA-30, but that is an old product and W&G may
have finally replaced it and put some multi-port capability in their
newer Domino series of undercradles. At HP we had some fairly
pricy ($100K+) boxes that I was product manager for that also did
this.  HP has probably come out with others in the last few years too...
The HP Internet Advisor guys have been threatening (;-) to come 
out with multiport for oh... about 10 years now. (Sorry for the shot
if you read this, Bill and Hamish :-) So they may have finally released
something since I left.

> Are any of the IDS signatures snort uses reliant upon seeing both sides of the
> conversation ? I assume that some are. Could we add a second input to the 
> packet engine so that it appears as one stream of data from two physical
> interfaces ?

Snort is currently a state-less (some preprocessors excepted) IDS and there
are no signatures that rely on seeing something in one direction and then seeing
something in the other direction.  It goes through its signature list for
every packet - though I can think of some scenarios where it would be 
nice to be able to have signatures dynamically turn other rules on and off

That said, there is very little except a little coding(:-) that stops snort from
integrating data from multiple interfaces into one snort - but it currently
wouldn't buy you very much over running a couple of instances of snort,
and so that's the reason why no-one has jumped up to develop this.  I
don't think it would be too hard....  but it would be much more useful once
snort would start handling some rules of a "stateful" nature.  The "stateless"
nature of snort is one the reasons it runs with such great performance, imho,
so we should be wary of such design mods and consider carefully.

Anyway, Lance, if your buddy wants to describe his objective further, there
may be a way to acheive it without a great deal of work.... just tell us more
about what you are trying to actually get done.


dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com

More information about the Snort-users mailing list