Snort mailing list archives
Re: Snort and network taps
From: Chris Green <cmg () sourcefire com>
Date: Tue, 23 Apr 2002 08:27:48 -0400
counter.spy () gmx de writes:
Wouldn't I lose the stateful inspection capability of snort when using the third method?
Yes.0
Each snort process only sees one direction of each connection, so it cannot know if a connection has been properly established or not. It seems to me that this is a problem that most NIDS should encounter when running on tap ports, right?
Yup.
What would you recommend me to do, in order not to loose stateful analysis capabilities?
One of your other solutions or tap off a hub -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and network taps counter . spy (Apr 23)
- Re: Snort and network taps Chris Green (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- Re: Snort and network taps Jason Haar (Apr 23)
- <Possible follow-ups>
- RE: Snort and network taps Wirth, Jeff (Apr 23)
- RE: Snort and network taps Fuchs Bernhard (Apr 24)