AW: [Snort-devel] TAP usage

From: Poppi, Sandro <Sandro.Poppi(at)wacker.com>
Date: Tue Jun 17 2003 - 09:15:23 EDT

Paul, you asked about TAPs yesterday and got 2 answers (see http://marc.theaimsgroup.com/?t=105576743400003 <http://marc.theaimsgroup.com/?t=105576743400003&r=1&w=2> &r=1&w=2). It is of course necessary to reassemble the 2 splitted data streams from the Taps. This can be achieved as suggested yesterday via linux channel bonding (or the *BSD equivalent), using a switch with port aggregation and port mirroring, with special equipment like toplayer switches, or as you've already tested with a hub. All have pros and cons. These have also already been discussed on the snort-users list so give the archives a search ;)  

HTH,
Sandro

I have setup the router/switch method of connecting a snort sensor, and I have used the hub method.  

>From my investigations there are some flaws with both of them.
 

What I would like to do is have three nics in a sensor. One for the network connection the other two being connected directly from the tap to the NIC.s  

MY question is how do you setup snort to recognized that these two ports are the same data stream. Is it necessary ?  

Would like some guidance on this if you have the time...  

thanks
Paul Powenski

---

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Jun 17 09:28:41 2003