Hi All,
I have an interesting routing/firewalling question. I am using a snort IDS
with a 10/100 tap. The tap contains two "monitoring" ports (one for each
direction). In order to make this data useful the two ports need to be
combined onto one port so the IDS can see both sides of the conversation. On
a 10Meg Half-Duplex connection I can use a hub to combine the flows. If the
connection is 100Meg Full-Duplex the hub doesn't work because of collisions
(since the tap is receive only the data is not retransmitted). I have been
looking for a few days on solutions for this problem, the only I found was
to purchase a "Top-Layer Switch", since this is not an option I started
think about other solutions.
Is this a feasible solution:
IDS Box has 3 Ethernet ports, two unnamed (no ip address) and one in the
management network. Each of the two unnamed ports gets connected to each
port on the management side of the tap. Snort can only look at one interface
so we need to combine/redirect all traffic from both of these ports to a
dummy interface which snort would be running on. Is this possible with the
new ip tools (ip link, address, route, etc) to blindly say all packets
arriving on eth1 and eth2 be copied to dummy0 without changing any of the
packet (like the src or dst address).
Or is there a kernel module that would do this?
Any help would be great
Glenn
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
