Re: Asymmetric Data

[Matt Kettler <mkettler () evi-inc com>]

At 02:06 PM 7/18/2003 -0400, Michael L. Artz wrote:
> How well does snort handle asymmetric data, i.e. an incoming link but no 
> outgoing link?  I figure that most of the signatures should be fine, since 
> most of them are looking for content and/or packet flags, but what about 
> the preprocessors, such as stream4?  Are there certain preprocessors that 
> should be left turned off if snort is only seeing one side of the 
> traffic?  Any suggestions on how to best tune snort given only one side of 
> a link?

Actualy the signatures will break as well.. Any signature which uses flows 
will fail, which is most of them in 2.0.0.

Sorry, but the stateful ruleset helps avoid false positive and some 
avoidance cases, but requires snort to see the whole 3-way handshake of TCP 
establishment in order for it to know which side is the server, which is 
the client, and if the connection is established or not.

Stream4 will also be defunct without the whole traffic stream, as it will 
usually flush when data is sent in the "other direction" than the currently 
buffered part of a stream.






-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users