[Snort-users] Passive Tap Help

Dirk Geschke Dirk at ...10648...
Mon Dec 1 20:18:29 EST 2003


Hi all,

> > It may be worth replacing the "switch/spanned port" section with a
> > second "sniffing interface" to the sensor.  i.e.  One interface sniffs
> > incomming, the other sniffs outgoing.
 
[...]

> Yup, that's been advertised as a solution. I like to see some comments
> from folks using it as well.
> 
> But you need to be clearer on the second interface solution. It is
> possible to use a second NIC and have two pcaps running and the IDS
> reassembling the data itself. Or you can have two NICs set up as a
> bonded/joined interface where the OS does the reassembling and a single
> instance of pcap and IDS runs over the traffic.
> 
> My guess on performance is that 1) produces an unneeded overhead that
> can be save with 2). Since there is only a single instance of pcap/IDS,
> it shouldn't impact performance at all.

There is one important thing you should not oversee. With two separate
instances of snort and therefore two instances of pcap you won't be
able to use the stream4 preprocessor and especially the "established"
feature. But this is one of the most important feature. Otherwise you
can feed the one snort processes which as many false postivie alerts
as you like. For example the "fpg" program (this is part of FLoP) is
able to generate such network packets on a very high rate. The limit 
is given by your network...

Best regards

Dirk 





More information about the Snort-users mailing list