[Snort-users] Two sensors for a Shomiti tap?

Chris Green cmg at ...671...
Wed Apr 25 09:27:00 EDT 2001


agetchel at ...1525... writes:

> Hey all,
> 	What are the downsides (besides increased hardware costs) of using
> one box to monitor traffic flowing one way (on one monitor port) and another
> box to monitor traffic flowing the other way (on the other monitor port)?
> 
> Thanks,
> Abe

Packet sequence between machines. It can be a pain to look at alerts (
esp in binary format ) and see them off by small amounts of time.
NTP mitigates this but its not perfect ( as long as one doesnt treat
too many digits as significant, it's fine. )

The other problem is fancy plugins that expect to see both sides of a
converstation.

I've got some taps to play with and I have to attack this very
problem as soon as a new computer is shipped to me.  I'm monitoring
half duplex 100 so it might be possible to bring them both into 1
hub and then monitor from there.  Im afraid that collisions might
occur way too often like that even though I doubt theres enough wire
to delay the singal that long.

I would prefer a cheap hardware solution rather than 2 ethernet cards
as I want to end up with a set of machines all monitoring off the taps
via hubs.
-- 
Chris Green <cmg at ...671...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-users mailing list