Asymmetric Data

["Michael L. Artz" <dragon () october29 net>]

How well does snort handle asymmetric data, i.e. an incoming link but no 
outgoing link?  I figure that most of the signatures should be fine, 
since most of them are looking for content and/or packet flags, but what 
about the preprocessors, such as stream4?  Are there certain 
preprocessors that should be left turned off if snort is only seeing one 
side of the traffic?  Any suggestions on how to best tune snort given 
only one side of a link?

I understand that it is best to get both sides together, but that is not 
a possibility in this case.  From talking to other network admins, I 
understand that this is also not as uncommon as it would seem, 
especially dealing with high speed links.

-Mike



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users