Hi all, I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd interface. It seems like dup-to is the best option for this, but I have a few questions as to how it works.
How does dup-to work with scrub ? If scrub is reassembling packets, how could the IDS pick up a fragmented attack ? I have explicit deny rules in place, so I am assuming the following would work ? block log on $ext_if dup-to $IDS all If that wouldn't do the trick, what would ? The 3rd interface will simply be "up" with no IP and the IDS is active with a unidirectional cable connecting the two. Are there any issues with that ? If anyone has suggestions or comments, I'd appreciate it. As to why I am resorting to this..I was denied a mirror port on our switch, a tap costs more than I want to spend, and an inline hub is rediculous IMO. Thanks, Aaron