[Snort-users] Line aggregation (was: Snort as Gigabit Sensor)

Williams Jon WilliamsJonathan at ...2134...
Mon Jul 28 12:36:02 EDT 2003


The problem is basically collisions.  They're more likely to occur since the
traffic will be coming in from multiple WAN links and, since I'm getting the
traffic from taps rather than from more intelligent devices, there's more
likely going to be problems with resolution of what happens when a collision
occurs.

Jon

-----Original Message-----
From: Edin Dizdarevic [mailto:edin.dizdarevic at ...7509...]
Sent: Saturday, July 26, 2003 6:53 AM
To: Williams Jon
Cc: snort
Subject: Re: [Snort-users] Line aggregation (was: Snort as Gigabit
Sensor)




Williams Jon wrote:
> Thanks, but my problem is more from the number of cables than from the
> number of IP networks.  Since I've got 24 taps, that means I've got 48
> ethernet cables that I want to monitor, but I don't want to have to buy 48
> boxes and I don't have enough space in my boxes for 48 ports (each box has
2
> available PCI slots, which gives me only 8 ports per box if I use quad
> ethernet cards).
> 
> Right now, I've got 3 physical sensors, although I want to add a 4th to do
> statistical analysis and p0f-style OS fingerprinting if I can find a way
to
> do it.  That means that I need a way to "funnel" the 48 input ports down
to
> 3 output ports and then copy all of the input traffic to a 4th output for
> the stat collection.  So far, I haven't found anything that can do that
kind
> of traffic management.

Sorry for asking stupid:

Using hubs is not an option?

Regards,

Edin


-- 
Edin Dizdarevic






More information about the Snort-users mailing list