[Snort-users] Connecting snort bidirectionnal.

Jeff Nathan jeff at ...950...
Thu May 23 21:40:03 EDT 2002


Patrice.Arnal at ...4604... wrote:
> 
> Hello
> 
> I have a little problem with the connection of my SNORT IDS on my provider
> :
> 
> I use the "classical" stealth connection with a tap :
> 
> Internet -------------TAP----------------Firewall
>                       |  |
>                   out |  |in
>                       |  |
>                      SNORT
> 
> The problem is : the tap gives me 2 outputs connected to 2 interfaces on
> my Snort box : one for
> the outbound traffic and one for the inbound traffic.
> 
> So I use two instances of snort to monitor the in and the out, but I can't
> make "activate" rules to work
> on the answer.
> 
> As my net is full duplex, the "net-men" told me that putting a hub to
> merge the in and out should
> lead to collisions and loss of packets.
> 
> Any ideas ?
> 
> Patrice ARNAL
> ALCANET France
> Site d'ILLKIRCH
> 1 Route du Dr Albert SCHWEITZER
> 67408 ILLKIRCH CEDEX

The ports on the tap are designed to be plugged into a network
analyzer.  For the purposes of Intrusion Detection, you'll have to plug
the two tap ports into a switch and then span those two ports to a third
port.  If that third port is 100Mb and you're tapping full-duplex 100Mb
you can end up with a situation where you're pushing more data into the
span port than the media can handle (oversubscription).

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-users mailing list