Educause Security Discussion mailing list archives
Re: bonded endace + snort
From: jeff murphy <jcmurphy () BUFFALO EDU>
Date: Fri, 29 Apr 2011 18:14:24 -0400
On Apr 29, 2011, at 18:09, Mike Lococo <mike.lococo () nyu edu> wrote:
... or you want to do stream reassemblyI think what you're saying here is that there is single-link which has been subdivided somehow. Either you have the incoming and outgoing portions of a tap on separate ports, or it's been load-balanced in some non-session-aware way. And you're recombining the traffic so that snort sees complete sessions instead of broken-up snippets of traffic. Yes?
Yes. We use a regen tap. Nature of the beast, etc
Current thread:
- bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)
- Re: bonded endace + snort jeff murphy (Apr 29)
- Re: bonded endace + snort Jeff Murphy (Apr 29)
- Re: bonded endace + snort Mike Lococo (Apr 29)