Re: bonded endace + snort

[jeff murphy <jcmurphy () BUFFALO EDU>]

On Apr 29, 2011, at 18:09, Mike Lococo <mike.lococo () nyu edu> wrote:

> >    ...  or you want to do stream reassembly 
>
> I think what you're saying here is that there is single-link which has
> been subdivided somehow.  Either you have the incoming and outgoing
> portions of a tap on separate ports, or it's been load-balanced in some
> non-session-aware way.  And you're recombining the traffic so that snort
> sees complete sessions instead of broken-up snippets of traffic.  Yes?


Yes. We use a regen tap. Nature of the beast, etc

>