[Snort-users] Understanding IDS & TAPS

Carleton, Sam (SCI TW) Sam_Carleton_TW at ...7796...
Wed Dec 18 10:51:03 EST 2002

Read theory?  Well, learning more about TCP/IP is on my hit list of things
to do.  
So, if my understanding of your short answer is correct, you said:  The
switch either needs a port that all traffic goes to or it must be able to be
configured to sends packets from one port to another, based on MAC address.

Now Netgear has this switch FSM726S which is a "managed switch".  Is my
impression correct that a "managed switch" is one that can be configured to
send the packets from Port A's and Port B's ports to the IDS's port?
Where can I go to learn more about this networking stuff, primarily what a
managed switch is and what all one can do with it.  If my impression is
correct, one managed switch could be used to create multiple isolated
networks.  In other words, I am under that by configuring this Netgear
switch so that one set of ports are for the DMZ and another set of ports are
for the internal network, I could have one switch with two networks.  This
is apposed to having to have two physical switch's, one for the DMZ and one
for the internal network.
Oh, wait a second.  I just had a thought.  Does it HAVE to be a switch
between the TAP and the IDS?  Can I use a HUB?  The only reason I could see
a HUB being a problem is if a packet of info came in on both Port A & B at
the same time.

 -----Original Message-----
From: 	twig les [mailto:twigles at ...131...] 
Sent:	Wednesday, December 18, 2002 12:54 PM
To:	Carleton, Sam (SCI TW); 'snort-users at lists.sourceforge.net'
Subject:	Re: [Snort-users] Understanding IDS & TAPS

Your questions span (pun!) more than the IDS field. 
Pick up a good book on switches or at least something
that explains the OSI model.  As loath as I am to
recommend reading theory, it really applies.

A short answer is that switches forward packets out of
specific ports based on a table they keep.  The table
correlates MAC address<->port relationships.  To sniff
on a switch you need one of two things: a port that
the switch sends ALL traffic to, regardless of the
destination MAC, or a piece of software like Ettercap
that does massive ARP poisoning.  For multiple obvious
reasons you prolly want to stick to the former.

--- "Carleton, Sam (SCI TW)"
<Sam_Carleton_TW at ...7796...> wrote:
> Folks,
> I understand the IDS and TAPS, but not completely. 
> The main thing is the
> physical hookup of the TAP to the IDS.  I don't
> understand the "100Mb IDS
> Tapping Diagram (with only 100bt span port)"
> diagram.  The switch being
> used, can it be any old switch or does it have to be
> something that is
> programmable?  What I don't understand is how the
> traffic gets through the
> switch.  How does the switch know where to send the
> packets which are coming
> in from the Port A and Port B?
> Sam
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
>  Smart Putty.
> T H I N K G E E K . C O M      
> http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
> Snort-users list archive:

If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself


Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

More information about the Snort-users mailing list