Re: snort + squid proxy

[Jason Haar <Jason_Haar () trimble com>]

On 25/11/12 09:23, Tony Robinson wrote:
> not src host 1.1.1.1
Just a further point about BPF filters and snort. The "src host" and
"dst host" BPF filters are not very useful for snort to use in almost
all situations.

If you have "not src host 1.1.1.1", then you are telling BPF to not send
any src packet 1.1.1.1 to snort to process. As such, this means that
snort will never be able to "see" a full bi-directional TCP-stream (for
TCP of course) - which means most of its TCP rules will never trigger if
they involve 1.1.1.1 as *either* src or dst. i.e. the "flow:established"
rules will never trigger for 1.1.1.1


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!