[Snort-users] Asynchronous routing

Dragos Ruiu dr at ...50...
Sun Aug 6 16:19:30 EDT 2000

Sorry if you see this twice... had a full /var and mailer
sputtered. --dr

On Sun, 06 Aug 2000, Dragos Ruiu wrote:
> On Sat, 05 Aug 2000, Lance Spitzner wrote:
> > Routing buddy of mine wanted to know the following about
> > snort.
> > 
> > --- snip snip ---
> > 
> > Our particular network configuration leads to asynchronous routing,
> > we could in theory do synchronous detection with a sniffer, that 
> > has two input interfaces, one from each core switch. The sniffer
> > would have to be able to watch both sides of a conversation on
> > different interfaces.
> > 
> Semantic quibbling, but....You may be using the wrong terms here.
> Synchronous means that data appears only when synchronized to 
> some time base... I.e. the bits on a T1 line are synchronous at a
> rate of 1.544 Mbps.  Asynchronous means that the data can 
> show up at any time, like the IP packets traveling superimposed
> on those synchronized T1 1.544 Mbps bitstream.  The asynchronous
> arrival of data in the synchronous 53 byte cell in ATM is
> where the name Asynchronous Transfer Mode comes from.
> Reading from your question you probably mean full and half duplex
> methinks.... Anyway...
> > As far as we know, no commercial sniffer is capable of this at this time.
> > However, we beleive that it is technically feasable. Of course one would
> > have to keep track of the state of every connection.
> > 
> There are commercial multiport sniffers, but they tend to be the expensive
> hw device variety.  Probably the most famous of these (because for a long
> time it was the only commercial multiport ethernet sniffer) is the
> Wandel&Goltermann DA-30, but that is an old product and W&G may
> have finally replaced it and put some multi-port capability in their
> newer Domino series of undercradles. At HP we had some fairly
> pricy ($100K+) boxes that I was product manager for that also did
> this.  HP has probably come out with others in the last few years too...
> The HP Internet Advisor guys have been threatening (;-) to come 
> out with multiport for oh... about 10 years now. (Sorry for the shot
> if you read this, Bill and Hamish :-) So they may have finally released
> something since I left.
> > Are any of the IDS signatures snort uses reliant upon seeing both sides of the
> > conversation ? I assume that some are. Could we add a second input to the 
> > packet engine so that it appears as one stream of data from two physical
> > interfaces ?
> > 
> Snort is currently a state-less (some preprocessors excepted) IDS and there
> are no signatures that rely on seeing something in one direction and then seeing
> something in the other direction.  It goes through its signature list for
> every packet - though I can think of some scenarios where it would be 
> nice to be able to have signatures dynamically turn other rules on and off
> (state).
> That said, there is very little except a little coding(:-) that stops snort from
> integrating data from multiple interfaces into one snort - but it currently
> wouldn't buy you very much over running a couple of instances of snort,
> and so that's the reason why no-one has jumped up to develop this.  I
> don't think it would be too hard....  but it would be much more useful once
> snort would start handling some rules of a "stateful" nature.  The "stateless"
> nature of snort is one the reasons it runs with such great performance, imho,
> so we should be wary of such design mods and consider carefully.
> Anyway, Lance, if your buddy wants to describe his objective further, there
> may be a way to acheive it without a great deal of work.... just tell us more
> about what you are trying to actually get done.
> cheers,
> --dr
> -- 
> dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com

More information about the Snort-users mailing list