[Snort-users] Ether Taps and Snort

Robinson, Ken ken.robinson at ...1563...
Tue Mar 13 11:41:22 EST 2001


We're looking at using EtherTaps (like the Shomiti one, or NetOptics, etc.)
with Snort.    An EtherTap breaks down the two traffic directions in to
separate ports for monitoring.    I.e. transmit and receive are 'mirrored'
to separate RJ-45 jacks.  

We can re-combine these by plugging in the monitoring ports to a Switch, and
then doing a VLAN on the switch, which is then monitored out one port.
Unfortunately, there's a bottleneck of the one port speed of 100Mbits.
This means we may loose data if the combined transmit and receive duplex
channels go above 100Mbit.  

I'm wondering about using a Snort box with 2 NICs  and the "-i any"
interface as a way of re-assembling the traffic flow to one instance of
Snort.   Would this work?  Or would Snort still consider the 2 interfaces as
different and not see the bi-directional traffic as one data flow?  

If this doesn't work, can somebody suggest another method?  I.e. Bonding the
ports, or having tcpdump collect one log and have Snort process that log, or
some other method?

Note: This is related to my previous post, but is separate.  I need to get
the "-i any" option working for monitoring a failover system and possibly to
monitor the 2 ports out of a EtherTap.  

Again, Thanks for any help you can offer. 

Ken Robinson
Canada Customs and Revenue Agency
Enterprise Security Section

More information about the Snort-users mailing list