Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Traffic reassembly behind a tap

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Traffic reassembly behind a tap


Posted by kernel on March 31, 2005 11:59:27

Hey!

I was wondering if anyone could give me some suggestions on how I might reassemble the two half-duplex streams provided via my network taps into a single (virtual) interface so that I can take advantage of some of the newer features in Snort 2.3.0, not just the pure signature-based functionality.

I am using a Net Optics 10/100BaseT tap (obviously, not a port-aggregator tap)

http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4&Section=products&menuitem=1

I'd like to ensure that the two streams are accurately combined in a true FIFO fashion.

I am running the 2.6 Linux kernel on a custom "distribution".

Thanks!

Posted by bfranklin on April 07, 2005 18:14:13

Have you considered using snort-inline instead, with a null route for all passed-through packets? Just
configure iptables to queue all packets not destined for your host on your monitoring interfaces. Dirty,
but quick FIFO queue.

Posted by DG on April 10, 2005 02:32:37

Just create a bonding interface consisting of the two sniffing interfaces.
Then start snort on this interface (bond0).

For more information see Documentation/networking/bonding.txt in the source
tree of the linux kernel.

Dirk

Posted by bdinello on April 15, 2005 12:09:03

We have had much success with bonding interfaces - copper and fiber. That would be my suggestion.



But if you don't have any spare interfaces, you could always plug the taps into a little 4 port hub and stick the IDS in there with it. It's ultra-ghetto, but it does work.


Cheers.

Posted by romandas on April 23, 2007 06:51:22

I realize this topic is 2 years old, but this last bit is incorrect:

> But if you don't have any spare interfaces, you could always plug the taps into a little 4 port hub and stick the IDS in there with it. It's ultra-ghetto, but it does work.

If you plug the two lines from a tap into a hub to 'combine the traffic', you certainly will.. combining them and creating tons of collisions that results in a major loss of traffic. Any time both sides of a full-duplex connection transmit at the same (or nearly the same) time the hub will cause them to collide. Since you're using a tap, the packets will not be retransmitted by the source -- they don't see the collision.

I suggest using the bonding method above.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.