Snort mailing list archives
Re: Asymmetric routing and IDS correlation ?
From: Rich Adamson <radamson () routers com>
Date: Tue, 23 Mar 2004 08:35:22 -0600
, and the routing and loadsharing is such that inbound traffic takes the left-hand link and outbound the right-hand, then neither of the two instances of snort on the snorthost will get enough information to do even minimal correlations, let alone use "flow" and "session" keywords. We know we could make the two links preferred/backup, rather than equal-value loadshare, but that throws away half our bandwidth.
Take a look at your router config options, some offer "per-session" load balancing as opposed to per-packet. That should take care of the problem. Rich ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Asymmetric routing and IDS correlation ? Glenn Forbes Fleming Larratt (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Rich Adamson (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Josh Berry (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Jason Haar (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Dirk Geschke (Mar 24)
- Re: Asymmetric routing and IDS correlation ? Michael Richardson (Mar 25)
- <Possible follow-ups>
- RE: Asymmetric routing and IDS correlation ? Biswas, Proneet (Mar 23)