[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?

Are any of the Snort rules looking for two way communication, or are they
all only one way?   I.e. It's a hit if a request is made and a certain
response is sent back?  

If there are rules depending on seeing both directions, does a '-i any' work
with the EtherTap to detect the full flow, or does it see it as 2 unrelated


>         Also, how would the configuration of an ISS RealSecure system work
> with these taps?  From the ISS RealSecure FAQs, I understand that you
> bind the app to more than one NIC.  This means you would have to have two
> IDS systems; one for monitoring incoming traffic and one for monitoring
> outgoing traffic.  Is this correct?  

Umm... Not quite 100% true. You could have two RealSecure processes
running (with some tweaking) on the same box, but you'd need two
licenses, which still equals double the money. You could also get really
kludgy and hang a rinky switch with a span port off of the ethertap, but
that's a solution only a mother could love.

> This would DOUBLE the cost of the
> overall system as we would have to duplicate hardware and software.  If
> using Snort instead of ISS, could you simply have a box with two NICs, one
> plugged into the 'incoming' traffic port and one plugged into the
> traffic port, and have two copies of Snort running concurrently each bound
> to one of the NICs?  

The '-i any' option works just fine, seems to be some twiddling required
on Linux, if the list is any measure. Works for me on FreeBSD. Add this
to the 2,333,756,478 reasons why Snort's a better choice than
RealSecure. :)

> I've not tested this, and hope that someone has so they
> can give me a quick answer. =)

Much obliged.



