Snort mailing list archives

Re: Snort and network taps

From: Chris Green <cmg () sourcefire com>
Date: Tue, 23 Apr 2002 08:27:48 -0400

counter.spy () gmx de writes:

Wouldn't I lose the stateful inspection capability of snort when
using the third method?


Yes.0

 Each snort process only sees one direction of each connection, so
it cannot know if a connection has been properly established or not.
It seems to me that this is a problem that most NIDS should
encounter when running on tap ports, right?


Yup.


What would you recommend me to do, in order not to loose stateful
analysis capabilities?


One of your other solutions or tap off a hub
-- 
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and network taps counter . spy (Apr 23)
- Re: Snort and network taps Chris Green (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
  - Re: Snort and network taps Jason Haar (Apr 23)
    - Re: Snort and network taps Jeff Nathan (Apr 23)
    - Re: Snort and network taps Jason Haar (Apr 23)
- <Possible follow-ups>
- RE: Snort and network taps Wirth, Jeff (Apr 23)
- RE: Snort and network taps Fuchs Bernhard (Apr 24)