Snort mailing list archives
one tap two interface no tcp session data logged
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Mon, 30 Aug 2004 18:23:05 -0400
Question: A tap was bought and connected to box with three(3)nics[one for mgmt and two for snorting] and a snort process is running on each nic. No tcp session data was logged i.e. no IIS code red attempts. Tried giving each NIC its own sensor name and that did not work. Finally, created Bridge with the two(2) NICs. Now one sees everything. I Ass-U-Me that one snort process saw incoming traffic and the the other process saw outgoing traffic so there never was an established connection for the IIS rules to fire on? If one does not want to bridge the traffic what kind of rule should I write to catch an incoming stream with IP proto=tcp and root.exe. Of course I think that the http preprocessor normalizes the data i.e. r^H^H^H^H^H^H^Ho^H^Ho^Ht.exe to root.exe so I would want to bridge the traffic to make sure I get all of the alerts? Is that correct? Thank you, Raymond
Current thread:
- one tap two interface no tcp session data logged Jacob, Raymond A Jr (Aug 30)