[Snort-users] snort behind TAP & asynchronous_link

Chris Green cmg at ...1935...
Thu Aug 15 07:38:02 EDT 2002

Holger.Woehle at ...2701... writes:

> You are right about the function of the Tap splitting the traffic.
> If i use bond0 with two devices on both Tap-ends everything works...
> So, why wouldn't i do that ?
> I have to observe a redundant ethernet infrastructur. For this
> reason i have to use bond0 to merge Tap A from two Taps. That means
> 2 x 100mbit, wich is a lot of traffic, but it works!  If i try to
> catch the answers at Tap B, i have a bonding interface with 4 x
> 100mbit...  only to be able to make stream assembly work. I think
> thats to high the price.  But let us talk about that opinion: I
> don't need any rules observing the server answers.  Does the
> backwarding traffic stresses snort heavily even without rules ?  I
> think yes : Snort has to examine every packet so i think i would
> have a lot of paket losses, wouldn't i ?

It's your trade off and its dependent on your configuration.  The way
asynchronous_link assembly has to work is just queuing up packets from
remote clients and then pushing them though the detection engine
rather than seeing what packets the server expects to see.

This means that a session running in asynchronous_link mode does not
have the same type of defenses against snot type attacks.

Perfect world:
look at both sides

Other worlds:
choose what works for you in your environment.
Chris Green <cmg at ...1935...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-users mailing list