Using Gigamon G-TAP A Series with SO

[KiwiNewbie]

Hello,

I am thinking about using the Gigamon G-TAP A Series with SecurityOnion however I do not know how this will work with SO. The TAP does not seem to provide aggregation of packets (full-duplex?) so I guess I need two NICs on the server running SO to match the two monitoring ports on the TAP..

If this is the case then how do you configure SO using Snort and BRO to monitor both NICs? It would be amazing if Snort and BRO can be smart enough to merge both NIC's data!

https://www.gigamon.com/products/g-tap-a-series

Cheers

Kiwi!

[Wes]

Kiwi,

The following may be of assistance to you:

https://groups.google.com/d/msg/security-onion/wdcPVlZ8WzU/1oOoJ4ZIAgAJ
https://groups.google.com/d/msg/security-onion/CcZNJEm94zo/vYV6SiraAwAJ

Thanks,
Wes

[KiwiNewbie]

Thank you Wes.

I also located this thread and the following recommendation - https://groups.google.com/forum/#!searchin/security-onion/tap/security-onion/pVm2cKePkNM/PifD3uhHZEEJ

"The solution for this is simple really. Before running sosetup, simply create a bridge interface with both NICs in it. This will combine RX and TX from the tap and keep it as a single interface presented to Snort etc.
This way you won't run into throughput problems that you would with an agg tap or a port span."