Snort mailing list archives

RE: Snort, Stream4 State and Ethernet Taps.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 1 May 2002 11:30:52 -0400

Hello everyone,

I understand the whole concept of the splitting one stream in to two streams
and how to put
them back together. What I really am interested in understanding is if you
don't, can't
or won't put the two streams back together, how will it affect Stream 4
statefull inspection.


I am not interested in the "how to put things back together conversation",
just what will happen
to stream4 if they are permanently split. Thanks!

vjl

-----Original Message-----
From: counter.spy () gmx de [mailto:counter.spy () gmx de]
Sent: Wednesday, May 01, 2002 11:11 AM
To: larosa, vjay
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort, Stream4 State and Ethernet Taps.


Vjay,
in order to achieve what you are asking for you could either use a separate
switch, connect the tap ports to the switch and mirror the tap ports to
a SPAN or mirrorport.
Be aware that you need to use a gigabit switch if you want to be sure that
not packets will be dropped, since 100Mbit/s full-duplex sum up to 200Mbit/s
at full utilization.

Another, cheaper method is channel bonding
(search on sourceforge.net for this software).
Channel bonding can be used in order to merge datastreams of two or more
NICs
to one virtual interface - the bond interface.
I know that at least one member of this list successfully deployed this
feature 
(hi, Sandro) ;)

For more information, have a look at the archives of the list. I already
asked this
question some days ago and there were several replies, if I remember right.

HTH

Greetings,
Detmar

Hello,

I was just thinking about something, If I have an ethernet full duplex 100
Mb link, and I insert an ethernet tap that splits
the full duplex link in to two half duplex streams, then run two seperate
instances of snort to monitor each half duplex link.
How will this affect the Stream 4 preprocessor with regards to TCP state?

If

the initial syn goes out past one snort
process, the syn-ack comes back in past the second snort process and the
final ack in the TCP three way handshake
goes out past snort process 1 again. Will snort ignore this conversation

now

and not pass on the packets for rules parsing becuase the handshake was not
seen entirely by one snort process? Or will Stream 4 assume bi-directional
flow is in play
on each process because process 1 saw the syn as well as the ack, and
process 2 saw a syn-ack?

Thanks!

vjl


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Current thread:

Snort, Stream4 State and Ethernet Taps. larosa, vjay (Apr 30)
- <Possible follow-ups>
- RE: Snort, Stream4 State and Ethernet Taps. Wirth, Jeff (May 01)
  - Alerting Snort (sending alert through pager) Alwin Raymundo (May 03)
- RE: Snort, Stream4 State and Ethernet Taps. counter . spy (May 01)
- RE: Snort, Stream4 State and Ethernet Taps. larosa, vjay (May 01)
- RE: Snort, Stream4 State and Ethernet Taps. counter . spy (May 01)