[Snort-users] Ethernet Tap

Richard Bejtlich richard_bejtlich at ...131...
Fri Apr 16 08:32:14 EDT 2004


Sean Lazar wrote:

The reason for a two card setup with a tap is to
physically prevent your IDS from ever transmitting. 

--

Don't forget that a tap preserves the full duplex
nature of a link, unlike a hub.  The two outputs to
the probe on a traditional tap represent the two TX
sides of a full duplex conversation.  That's why
traditional tap outputs feed into two probe NICs.

I say "traditional tap" because the new Net Optics
10/100 Ethernet Port Aggregator Tap is the first
device to offer a RAM-buffered single output.[0]

I don't buy the "buy a switch" argument either.  I did
a cost and feature comparison at my Blog:

http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108103774817736037

===

Jens Altrock wrote:

I'd need a software that reassembles the network
traffic in a way right?

--

Jens,

I just posted on my Blog the method I use to combine
separate physical NIC traffic into a single virtual
NIC:

http://taosecurity.blogspot.com/2004_04_01_taosecurity_archive.html#108212869210865161

When you have that single virtual NIC, you can run
Tcpdump or Snort against it without problems.

Good luck,

Richard
http://www.taosecurity.com

[0] See
http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=3&Section=products&menuitem=1.
for info on the Net Optics product.


	
		
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html




More information about the Snort-users mailing list