[Snort-users] Understanding IDS & TAPS
mkettler at ...4108...
Wed Dec 18 15:28:02 EST 2002
This diagram is actually a "pretty advanced" setup. This is by far not the
only way to set up a tap for snort, but is a good way to make a "receive
only" that handles very high traffic loads. ie: if you need to tap a
heavily used 100mbit link, this is a good way to do it.
It will not work for "just any" switch, it must be a switch with a spanning
port or that can be configured so that one of it's ports is a spanning
port. The spanning port gets ALL traffic that comes in on ALL ports, by
definition (if it did not, it would not be a spanning port). This feature
is generally seen in rack-mount switches for business use. It's not
commonly seen in inexpensive 16-port switches sold at best buy.
As far as I can tell in this diagram the primary purpose of the switch is
to act as a packet buffer and to collate traffic from both directions as
receive data without introducing delay to the data going by on the wire.
At 12:00 PM 12/18/2002 -0500, Carleton, Sam (SCI TW) wrote:
>I understand the IDS and TAPS, but not completely. The main thing is the
>physical hookup of the TAP to the IDS. I don't understand the "100Mb IDS
>Tapping Diagram (with only 100bt span port)" diagram. The switch being
>used, can it be any old switch or does it have to be something that is
>programmable? What I don't understand is how the traffic gets through the
>switch. How does the switch know where to send the packets which are coming
>in from the Port A and Port B?
>This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
>Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
>MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
>T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users