[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?

shawn . moyer shawn at ...1184...
Fri Mar 16 00:06:48 EST 2001

agetchel at ...1525... wrote:

>         Also, how would the configuration of an ISS RealSecure system work
> with these taps?  From the ISS RealSecure FAQs, I understand that you cannot
> bind the app to more than one NIC.  This means you would have to have two
> IDS systems; one for monitoring incoming traffic and one for monitoring
> outgoing traffic.  Is this correct?  

Umm... Not quite 100% true. You could have two RealSecure processes
running (with some tweaking) on the same box, but you'd need two
licenses, which still equals double the money. You could also get really
kludgy and hang a rinky switch with a span port off of the ethertap, but
that's a solution only a mother could love.

> This would DOUBLE the cost of the
> overall system as we would have to duplicate hardware and software.  If
> using Snort instead of ISS, could you simply have a box with two NICs, one
> plugged into the 'incoming' traffic port and one plugged into the 'outgoing'
> traffic port, and have two copies of Snort running concurrently each bound
> to one of the NICs?  

The '-i any' option works just fine, seems to be some twiddling required
on Linux, if the list is any measure. Works for me on FreeBSD. Add this
to the 2,333,756,478 reasons why Snort's a better choice than
RealSecure. :)

> I've not tested this, and hope that someone has so they
> can give me a quick answer. =)

Much obliged.



s h a w n   m o y e r
shawn at ...1184...

The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

					-- Zelazny

More information about the Snort-users mailing list