[Oisf-users] suricata setup with a passive tap

David david at damnetwork.net
Wed Mar 20 01:42:35 UTC 2013

On Mar 19, 2013, at 11:09 AM, Duarte Silva <duarte.silva at serializing.me> wrote:

> On Tuesday 19 March 2013 17:13:04 Victor Julien wrote:
>> On 03/19/2013 02:28 PM, David wrote:
>>> I have a question I couldn't find in the archives and I'm hoping it's not
>>> silly, heh.
>>> I built a passive tap (see below for details) to monitor the traffic
>>> coming and going from the internet (cable modem) to my router (Apple
>>> Airport Extreme).  The tap is setup so that the traffic gets copied to an
>>> internal server (batista) where suricata monitors and alerts, strictly
>>> being used as an IDS for now.   Basically, here's my traffic flow:
>>>  - interface: eth2
>>>    threads: 1
>>>    cluster-id: 98
>>>    cluster-type: cluster_flow
>>>    defrag: yes
> Add the use-mmap property to the eth2 interface configuration, I thing it is 
> also needed in order for memory mapping to be used (per interface setting).

Done, thanks!  Not sure why I didn't catch that before.  Probably because I'm a bit of a newb to Suricata, heh.

>>> passive tap:
>>> http://www.yourwarrantyisvoid.com/2011/04/06/homeland-security-build-a-pa
>>> ssive-ethernet-tap/
> One thing I think they don't explain is that this kind of tap only works well 
> for 100Mbps networks, for Gigabit either it is able to downgrades the 
> connection so that the negotiation occurs at 100Mbps or you will have packet 
> loss depending on the amount of traffic. This will only matter if you are using 
> a Gibabit network.

HAHAHAHA!  Oh, man!.  I spent a week trying to figure out why I was getting such inconsistent results when I was first building this up.  I keep going over the wiring, thinking I was using the wrong twisted pair, then the wrong slots on post, then the wire wasn't making good contact, then some other thing.  I finally put two and two together and forced the 2 listening devices to 100M and bam!  consistent snooping every time, lol!

>>> The reason I'm using a passive tap is I don't want my IDS box to be a
>>> point of failure.  If the server goes down, I want traffic to still flow.
>> Looks good to me.

Awesome, thanks!  I'll post my follow up in a different thread now that this part is effectively resolved.

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list