[Snort-users] passive tap

christian graf chr.graf at ...348...
Tue Dec 2 01:33:00 EST 2003


Hi,

my experiences with another IDS than snort are the following:
1) the easiest solution is mirroring the e.g. 100Mbit link to a 1Gig
link. Having this you are avoiding oversubscritpion and you do not have
to change anything on your IDS. Thats independant from the usage of any
taps. You don't need them in this scenario.
2) The worst is like other said, having two instances of SNORT/libpcap
running. Huge overhead, poor performance and the loss of any
stateful-capabilities / preprocessors. That will not satisfy anybody.
3) the bridging solution
I tried this and the results a really bad. Bridging produces overhead
and more important, as the your SNORT-device is acting like a bridge,
you have to DISABLE the forwarding on your "snort-bridging-device". If
not, all packets may be seen on both interfaces and therefore you get
all alerts twice. I wouldn't take it.
4) the bonding
yes, the bonding was a real nice success. Just enable the
bonding-interface and you get what you want. You can use 2 nics, having
the tapped rx and tx streams recombined in the bonding-interface and you
need only one instance of snort running. I have never thought if packets
may be disordered when using a bonding-interface. This could be a
potential problem when thinking about statefulness and the
preprocessors. But maybe anybody in this list could clarify this.
regarding this limitation, point (1) is the most safe unless your
switch/router is powerful enough in his mirroring capabilities.


hope this helps

christian






More information about the Snort-users mailing list