Snort mailing list archives
Re: recommendation for monitoring traffic
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 27 Oct 2005 15:39:39 -0400
John Friedman wrote:
Hi all, Curently, I span the firewall port on teh core switch to the snort monitoring port only for Rx traffic. The snort is placed inside firewall.I manage it through the second NIC on the Snort box.
Should I monitor both TX/Rx traffic?
Yes. If you only monitor "half the stream" most snort rules, anything using the "established" keyword, will never match. This is because stream4 won't see the full tcp 3-way handshake and will assume the packets it sees are just garbage and not a part of a real connection.
If I want to exclude one server from the monitoring segment, what's the syntax?
Adding a BPF such as "host not 192.168.1.1" to your snort command line should work nicely.
Thanks in advance, John BTW, I tried to exclude on server from this motoring segment
eh? ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- recommendation for monitoring traffic John Friedman (Oct 27)
- Re: recommendation for monitoring traffic Matt Kettler (Oct 27)