[Snort-users] Two sensors for a Shomiti tap?
cmg at ...671...
Wed Apr 25 09:27:00 EDT 2001
agetchel at ...1525... writes:
> Hey all,
> What are the downsides (besides increased hardware costs) of using
> one box to monitor traffic flowing one way (on one monitor port) and another
> box to monitor traffic flowing the other way (on the other monitor port)?
Packet sequence between machines. It can be a pain to look at alerts (
esp in binary format ) and see them off by small amounts of time.
NTP mitigates this but its not perfect ( as long as one doesnt treat
too many digits as significant, it's fine. )
The other problem is fancy plugins that expect to see both sides of a
I've got some taps to play with and I have to attack this very
problem as soon as a new computer is shipped to me. I'm monitoring
half duplex 100 so it might be possible to bring them both into 1
hub and then monitor from there. Im afraid that collisions might
occur way too often like that even though I doubt theres enough wire
to delay the singal that long.
I would prefer a cheap hardware solution rather than 2 ethernet cards
as I want to end up with a set of machines all monitoring off the taps
Chris Green <cmg at ...671...>
"Yeah, but you're taking the universe out of context."
More information about the Snort-users