Snort mailing list archives
Re: Asymmetric Data
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 18 Jul 2003 15:24:54 -0400
At 02:06 PM 7/18/2003 -0400, Michael L. Artz wrote:
How well does snort handle asymmetric data, i.e. an incoming link but no outgoing link? I figure that most of the signatures should be fine, since most of them are looking for content and/or packet flags, but what about the preprocessors, such as stream4? Are there certain preprocessors that should be left turned off if snort is only seeing one side of the traffic? Any suggestions on how to best tune snort given only one side of a link?
Actualy the signatures will break as well.. Any signature which uses flows will fail, which is most of them in 2.0.0.
Sorry, but the stateful ruleset helps avoid false positive and some avoidance cases, but requires snort to see the whole 3-way handshake of TCP establishment in order for it to know which side is the server, which is the client, and if the connection is established or not.
Stream4 will also be defunct without the whole traffic stream, as it will usually flush when data is sent in the "other direction" than the currently buffered part of a stream.
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Asymmetric Data Michael L. Artz (Jul 18)
- Re: Asymmetric Data Matt Kettler (Jul 18)