Snort mailing list archives

RE: Passive Tap Help

From: Frank Knobbe <frank () knobbe us>
Date: Mon, 01 Dec 2003 15:14:05 -0600

On Mon, 2003-12-01 at 15:01, Dirk Geschke wrote:

There is one important thing you should not oversee. With two separate
instances of snort and therefore two instances of pcap you won't be
able to use the stream4 preprocessor and especially the "established"
feature.


That's correct. Snort does not reassemble packets/streams received from
different sources. Other IDS "claim" they can. Thus this solution is not
recommended for Snort. I just listed that as an option since their are
IDS' that claim they can take in separate directions of traffic and
merge it in the IDS. I used this example to show the different between
combining the streams on a network/OS level and application/IDS level.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Passive Tap Help Peters, Michael D. (Dec 01)
- Re: Passive Tap Help Frank Knobbe (Dec 01)
- <Possible follow-ups>
- RE: Passive Tap Help Peters, Michael D. (Dec 01)
  - RE: Passive Tap Help Lists (Dec 01)
  - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Lists (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Dirk Geschke (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 01)
    - RE: Passive Tap Help Frank Knobbe (Dec 03)
  - Re: Passive Tap Help kenw (Dec 01)
    - Re: Passive Tap Help Jeff Nathan (Dec 01)
    - Re: Passive Tap Help Frank Knobbe (Dec 01)
    - Re: Passive Tap Help Jeff Nathan (Dec 02)