TZSP Streams instead of TAP/MIRROR/SPAN?

[Paul Peterson]

I was wondering if its possible or practical to use TZSP streams from my firewall instead of mirror or span ports on my switches for sensors.

Thanks.

[Liam Randall]

It does not appear to me that latest snort has support for TZSP compiled in; googling around I see an old patch 'listed' from a company called network chemistry (chris....@networkchemistry.com), however I did not locate it.

Another dead link:

http://snort-wireless.org/  listed here.

Suricata does not support TZSP either.

Doesn't look like Bro will either.

Dualcomm taps are very inexpensive; try one of those.

Liam

[Paul Peterson]

Its not that taps or mirror/span switches are expensive, its just that they add more physical presence. Many of my clients have small closets with only a 4x4 piece of wood hanging on the wall where their dumb, non-mirroring port type switches are. Sharing space with their PBX and/or telco demarc.

I use Mikrotik as firewalls for small network installs and they support TZSP streaming right inside the firewall chains and even in the bridges in the form of "calea" support and wireshark support.

For spot analyzing, it would be more convenient if TZSP was supported.

No biggie though.

Just checking.

[Joel Esler]

We do not support the decoding of that protocol. Is that a feature request?

--

Joel Esler