RE: Snort, Stream4 State and Ethernet Taps.

[counter.spy () gmx de]

Vjay,

> I understand the whole concept of the splitting one stream in to two
streams
> and how to put
> them back together. What I really am interested in understanding is if you
> don't, can't
> or won't put the two streams back together, how will it affect Stream 4
> statefull inspection.

This was also answered previously, by Chris Green.
  <previous post>
  counter.spy asked:
  Wouldn't I lose the stateful inspection capability of snort when
  using the third method? (that was running two instances, one for each
interface)
  
  Chris Green answered:
  Yes.
  
  I further asked:
  Each snort process only sees one direction of each connection, so
  it cannot know if a connection has been properly established or not.
  It seems to me that this is a problem that most NIDS should
  encounter when running on tap ports, right?

  Chris answered:
  Yup.
  </previous post>

> I am not interested in the "how to put things back together conversation",
> just what will happen
> to stream4 if they are permanently split. Thanks!

Well, if you are running the -z est option you will lose sight for stateful
TCP attacks
(anyone correct me, if I am wrong).

Otherwise, I think you would still get all attacks, and the split up
datastreams should
not affect the reassembly, because this can still be done for each
direction.
I suggest you running tests on this and let us know the results.

Problems you will probably get if using the detect_state_problems feature of
the
stream4 preprocessor.

> vjl

HTH
Any more questions? ;)

Greetings,
Detmar


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net