[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?

Robinson, Ken ken.robinson at ...1563...
Fri Mar 16 09:47:15 EST 2001


Are any of the Snort rules looking for two way communication, or are they
all only one way?   I.e. It's a hit if a request is made and a certain
response is sent back?  

If there are rules depending on seeing both directions, does a '-i any' work
with the EtherTap to detect the full flow, or does it see it as 2 unrelated
flows?

Thanks.

-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: March 16, 2001 12:07 AM
To: agetchel at ...1525...
Cc: FOCUS-IDS at ...220...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex
Ethernet Taps?


agetchel at ...1525... wrote:

>         Also, how would the configuration of an ISS RealSecure system work
> with these taps?  From the ISS RealSecure FAQs, I understand that you
cannot
> bind the app to more than one NIC.  This means you would have to have two
> IDS systems; one for monitoring incoming traffic and one for monitoring
> outgoing traffic.  Is this correct?  

Umm... Not quite 100% true. You could have two RealSecure processes
running (with some tweaking) on the same box, but you'd need two
licenses, which still equals double the money. You could also get really
kludgy and hang a rinky switch with a span port off of the ethertap, but
that's a solution only a mother could love.

> This would DOUBLE the cost of the
> overall system as we would have to duplicate hardware and software.  If
> using Snort instead of ISS, could you simply have a box with two NICs, one
> plugged into the 'incoming' traffic port and one plugged into the
'outgoing'
> traffic port, and have two copies of Snort running concurrently each bound
> to one of the NICs?  

The '-i any' option works just fine, seems to be some twiddling required
on Linux, if the list is any measure. Works for me on FreeBSD. Add this
to the 2,333,756,478 reasons why Snort's a better choice than
RealSecure. :)

> I've not tested this, and hope that someone has so they
> can give me a quick answer. =)

Much obliged.





--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

					-- Zelazny

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users




More information about the Snort-users mailing list