Snort mailing list archives
Re: [Snort-Users] Re: Some questions about strem5 preprocessor
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Mon, 3 Oct 2011 00:17:29 -0400
Ports listed in client tell stream5 to do stream reassembly for traffic going from the client to the server. Both means do it in either direction. In the example below, most attacks for ssh are against servers, so inspecting the traffic from clients to servers and doing reassembly is desired. For http attacks they can go either direction. For b) that configuration looks fine. The example from the snort manual is similar. You may wish to add a "default" line, the last line below, in case your sensor sees traffic not defined in the two bind_to lines. preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windows preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux preprocessor stream5_tcp: policy solaris Cheers, -matt On Fri, Sep 30, 2011 at 4:34 PM, carlopmart <carlopmart () gmail com> wrote:
On 09/30/2011 12:57 PM, carlopmart wrote:Hi all, I have setup one snort 2.9.1 sensor using multipleconfigs option. After some time of configuration I have two questions: a) What is the reason for put some (and differents) tcp ports using "ports client" option and anothers under "ports both" option? For example: seeing snort.conf's file released with official snort rules (snortrules-snapshot-2910.tar.gz), port ssh is configured under "ports client" option and port http under "ports both". Why?? How can I determine when certain tcp port needs to be configured under "ports client" or "ports both" or "ports server"? b) using multipleconfigs option, is this configuration ok?? - global config: preprocessor stream5_tcp: policy solaris - specific config for net a.a.a.a/24: preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windows - specific config for net b.b.b.b/24: preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux Many thanks.Please, any help? -- CL Martinez carlopmart {at} gmail {d0t} com -- To post to this group, send email to snortusers () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!
-- Matthew Watchinski V.P. Vulnerability Research (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Snort-Users] Re: Some questions about strem5 preprocessor Matt Watchinski (Oct 02)
- Re: [Snort-Users] Re: Some questions about strem5 preprocessor carlopmart (Oct 03)