Hi all,
I have a 3.3 based firewall, and I am looking at deploying snort on a 3rd
interface. It seems like dup-to is the best option for this, but I have a
few questions as to how it works.
How does dup-to work with scrub ? If scrub is reassembling packets, how
could the IDS pick up a fragmented attack ?
I have explicit deny rules in place, so I am assuming the following would
work ?
block log on $ext_if dup-to $IDS all
If that wouldn't do the trick, what would ?
The 3rd interface will simply be "up" with no IP and the IDS is active with
a unidirectional cable connecting the two. Are there any issues with that ?
If anyone has suggestions or comments, I'd appreciate it.
As to why I am resorting to this..I was denied a mirror port on our switch, a
tap costs more than I want to spend, and an inline hub is rediculous IMO.
Thanks,
Aaron
