[Snort-users] Connecting snort bidirectionnal.
jeff at ...950...
Thu May 23 21:40:03 EDT 2002
Patrice.Arnal at ...4604... wrote:
> I have a little problem with the connection of my SNORT IDS on my provider
> I use the "classical" stealth connection with a tap :
> Internet -------------TAP----------------Firewall
> | |
> out | |in
> | |
> The problem is : the tap gives me 2 outputs connected to 2 interfaces on
> my Snort box : one for
> the outbound traffic and one for the inbound traffic.
> So I use two instances of snort to monitor the in and the out, but I can't
> make "activate" rules to work
> on the answer.
> As my net is full duplex, the "net-men" told me that putting a hub to
> merge the in and out should
> lead to collisions and loss of packets.
> Any ideas ?
> Patrice ARNAL
> ALCANET France
> Site d'ILLKIRCH
> 1 Route du Dr Albert SCHWEITZER
> 67408 ILLKIRCH CEDEX
The ports on the tap are designed to be plugged into a network
analyzer. For the purposes of Intrusion Detection, you'll have to plug
the two tap ports into a switch and then span those two ports to a third
port. If that third port is 100Mb and you're tapping full-duplex 100Mb
you can end up with a situation where you're pushing more data into the
span port than the media can handle (oversubscription).
http://jeff.wwti.com (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
More information about the Snort-users