Snort mailing list archives

Re: Asymmetric routing and IDS correlation ?

From: Rich Adamson <radamson () routers com>
Date: Tue, 23 Mar 2004 08:35:22 -0600

, and the routing and loadsharing is such that inbound traffic takes
the left-hand link and outbound the right-hand, then neither of the
two instances of snort on the snorthost will get enough information
to do even minimal correlations, let alone use "flow" and "session"
keywords.

We know we could make the two links preferred/backup, rather than 
equal-value loadshare, but that throws away half our bandwidth.


Take a look at your router config options, some offer "per-session"
load balancing as opposed to per-packet. That should take care of the
problem.

Rich




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Asymmetric routing and IDS correlation ? Glenn Forbes Fleming Larratt (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Rich Adamson (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Josh Berry (Mar 23)
  - Re: Asymmetric routing and IDS correlation ? Jason Haar (Mar 23)
- Re: Asymmetric routing and IDS correlation ? Dirk Geschke (Mar 24)
- Re: Asymmetric routing and IDS correlation ? Michael Richardson (Mar 25)
- <Possible follow-ups>
- RE: Asymmetric routing and IDS correlation ? Biswas, Proneet (Mar 23)