Snort mailing list archives
RE: Passive Tap Help
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 01 Dec 2003 15:14:05 -0600
On Mon, 2003-12-01 at 15:01, Dirk Geschke wrote:
There is one important thing you should not oversee. With two separate instances of snort and therefore two instances of pcap you won't be able to use the stream4 preprocessor and especially the "established" feature.
That's correct. Snort does not reassemble packets/streams received from different sources. Other IDS "claim" they can. Thus this solution is not recommended for Snort. I just listed that as an option since their are IDS' that claim they can take in separate directions of traffic and merge it in the IDS. I used this example to show the different between combining the streams on a network/OS level and application/IDS level. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Passive Tap Help Peters, Michael D. (Dec 01)
- Re: Passive Tap Help Frank Knobbe (Dec 01)
- <Possible follow-ups>
- RE: Passive Tap Help Peters, Michael D. (Dec 01)
- RE: Passive Tap Help Lists (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 01)
- RE: Passive Tap Help Lists (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 01)
- RE: Passive Tap Help Dirk Geschke (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 01)
- RE: Passive Tap Help Frank Knobbe (Dec 03)
- Re: Passive Tap Help Jeff Nathan (Dec 01)
- Re: Passive Tap Help Frank Knobbe (Dec 01)
- Re: Passive Tap Help Jeff Nathan (Dec 02)