Snort mailing list archives
Re: snort + squid proxy
From: Jason Haar <Jason_Haar () trimble com>
Date: Sun, 25 Nov 2012 10:04:07 +1300
On 25/11/12 09:23, Tony Robinson wrote:
not src host 1.1.1.1
Just a further point about BPF filters and snort. The "src host" and "dst host" BPF filters are not very useful for snort to use in almost all situations. If you have "not src host 1.1.1.1", then you are telling BPF to not send any src packet 1.1.1.1 to snort to process. As such, this means that snort will never be able to "see" a full bi-directional TCP-stream (for TCP of course) - which means most of its TCP rules will never trigger if they involve 1.1.1.1 as *either* src or dst. i.e. the "flow:established" rules will never trigger for 1.1.1.1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort + squid proxy Leonardo Pezente (Nov 22)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)