Snort mailing list archives

Re: snort inline (non-drop mode) br0

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 1 Feb 2011 13:45:42 -0500

Lawrence,

I keep seeing you post to the list asking about open sessions.  But I never
see any responses to anyone's questions that we ask.

Are you having a problem with open sessions, or are you perceiving it to be
a problem?  What's the problem?  Are you dropping packets?  Are you seeing
duplicate traffic?

Is Snort not detecting things?  What's the issue?

Joel

On Tue, Feb 1, 2011 at 12:59 PM, Lawrence R. Hughes, Sr. <
lhughes () safemedia com> wrote:

 Hi,

We use snort inline in the non-drop mode and our sensor is listens on br0.
Could it be that we detect the 3whs (session) with stream5, but don't
detect when the session has ended, thus giving us a high rate of open
sessions?

If this is the case, then what interface would be better to use eth0 or
eth1 (currently both eth0 & eth1 are configed to give us br0) ?

Thanks,
Larry



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better
price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Joel Esler
Skype:eslerjoel
http://blog.snort.org && http://blog.clamav.net

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
- Re: snort inline (non-drop mode) br0 Joel Esler (Feb 01)
  - Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
    - Re: snort inline (non-drop mode) br0 Jason Wallace (Feb 01)
    - Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
    - Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 01)
    - Message not available
    - Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
    - Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
    - Re: snort inline (non-drop mode) br0 Joel Esler (Feb 02)
    - Re: snort inline (non-drop mode) br0 Lawrence R. Hughes, Sr. (Feb 02)
    - Re: snort inline (non-drop mode) br0 Paul Halliday (Feb 02)
    - Re: snort inline (non-drop mode) br0 Will Metcalf (Feb 01)

(Thread continues...)