[Snort-users] eth. sniffing tech. solutions

Thomas Zauner Thomas_Zauner at ...12242...
Mon Aug 9 10:11:13 EDT 2004


hello,

i got a question about sniffen the 10mbit connectino between a dsl 
router and a pptp dialin machine running OpenBSD providing internet 
access for 2 networks.
I an  IDS   (at ?) to check the traffic.


  -----------         ---       ------------------------------------- 
<switch1>
 | router |----- |?|------| OpenBSD (pptp) | 
  -----------         ---       -----------------------------------<switch2>

                                     _
diffrent solutions for |?|

--------------------------------------------------------------------------------------------
                                     --
1) USING AND EHTERNET TAB

   
    there is a "building a passive ehernet tab"-HOWTO on
    the snort homepage and it lokks really easy and cheap
    to build on of these.

    -------------<TAB>-------
                     | |
               ___ | |____
              | 2 NIC's  |
              |+SNORT|
               ---------------
    If i understood it right i need 2 NIC's and bridge them
    (OpenBSD = bridge0) on my IDS to get full-duplex information.
    Then have snort run on the bridge.)
    Does that really work like that. Hmmm.?
    I found this "bridge 2 NIC'S solution" in another  mailing list
     but i am not convinced OpenBSD bridges do that.
   
    (probably a 3rd nic leading to a managment/secure net to controll
    the IDS and check the data , but thats not the point so i left it out)

2)  JUST PUT A SYSTEM RIGHT IN THE MIDDLE
        _________________
       |   OpenBSD+      |
-------|   SNORT+          |------------------------
       |   2NIC+bridge   |
       ------------------------------
   
    Why not just use a dedicated system (like 500MHZ+515RAM+4GB HD)
     and bride the 2 NICS (NO IP's)   and just "listen on one of them.
     This way if u want to react to an alert you coold tear doen the 
line easy,
     and also use a firewal (here pf) to do some additional blocking 
(maybe temporary).

    (also in this solution a 3rd NIC leading to a secure managment net 
would be used)

3) HUBS
       not much diffren from the "homemade TAP" solution i guess
   
4) manages SPAN  switches
    cant afford it because there are only 12+ ports out there and they 
are too $$$



--------------------------------------------------------------------------------------------------
solution 2:
                    only negativ thing is that if the IDS breaks down,
                    so does yout internet conn. But hey same applies
                   probably to your firewall and the router too.
solution 4:
                     is very good if you can afford it and if you need it.
solution 1/3:
                     well why not just make a TAB yourself.

But why then are there so many dicussions out there on how to do it ?
  
CONCLUSION: I HAVE MISSED STH.  PLEASE HELP ME. I WOULD LOVE TO RTFM.


thx a lot,
thomas




   
   






More information about the Snort-users mailing list