[Snort-users] Tap traffic reassembly using OpenBSD bridge?
Douglas at ...5944...
Sun May 26 10:51:02 EDT 2002
I wasn't able to find any information on this mentioned previously so apologies if it is has been posted before. Also I've only tested this on OpenBSD 3.1 so have no idea if it works on other operating systems.
Under OpenBSD if the two interfaces connected to the tap output ports are configured to be members of a bridge (learn and discover disabled), then it is possible for snort to sniff off the virtual "bridge0" interface and capture all traffic from the tap. This way the two traffic streams from the tap are reassembled without the need of an intermediary switch or other device. Also there should be no oversubscription on the bridge0 interface as it it not limited to 100Mbps.
Expanding this, if one or more output interfaces are added to the bridge (learn disabled) then it is possible to use pf to filter the traffic passing out of these interfaces. So for example there could be multiple IDS sensors connected to the bridging system, with the output to these sensors individually filtered by port, destination address etc.
Can anyone comment on if they can see any disadvantages/faults to this method? Is this a viable alternative to using a dedicated switch or other device for tap traffic reassembly?
More information about the Snort-users