[Snort-users] To TAP or HUB?

Henning, David henningd at ...7800...
Thu Dec 19 10:55:10 EST 2002


Taps are much too expensive to use for casual home stuff.  Taps are most
useful in an environment where you can't span all the ports off a large core
switch.  A hub between the cable modem and fw will work just fine and be
very cheap.  If you properly stealth the nic on the hub no-one will ever
know you have an IDS there (except us of course ;).  Make certain you
configure the nic to not respond to arp and don't give it an IP address.
Unless there is a way to break Snort on the listening interface and
reconfigure the nic to respond to traffic an attacker can't get in through
that interface.

David Henning

-----Original Message-----
From: Carleton, Sam (SCI TW)
To: 'snort-users at lists.sourceforge.net'	
Sent: 12/19/02 1:21 PM
Subject: [Snort-users] To TAP or HUB?


I understand the point of using a TAP with an IDS, but is it a must?
is the drawback to simply using a HUB?  I ask because a TAP is a bit
for the house, or at least right now.  My thought is this:  I put a HUB
between the cable modem and firewall.  Then I plug in the second NIC of
IDS Server, but never assign an IP address.  Then turn on snort to
listen to
that NIC.  Would that work?  Would a hacker be able to get into the IDS
Server?  It is my understanding that the presents of the IDS would be
but I can live with that right now.  Are there any other drawbacks?


This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:


More information about the Snort-users mailing list