Snort mailing list archives
Re: snort + squid proxy
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sat, 24 Nov 2012 16:38:07 -0500
Thanks for bringing that point up, Jason -- I admit I had forgotten about that. An additional note to this -- this also means that application layer preprocessors/preprocessor rules won't fire correctly either since they implicitly rely on stream 5 and seeing both sides of a conversation of application protocol normalization. cheers, DA On Sat, Nov 24, 2012 at 4:04 PM, Jason Haar <Jason_Haar () trimble com> wrote:
On 25/11/12 09:23, Tony Robinson wrote:not src host 1.1.1.1Just a further point about BPF filters and snort. The "src host" and "dst host" BPF filters are not very useful for snort to use in almost all situations. If you have "not src host 1.1.1.1", then you are telling BPF to not send any src packet 1.1.1.1 to snort to process. As such, this means that snort will never be able to "see" a full bi-directional TCP-stream (for TCP of course) - which means most of its TCP rules will never trigger if they involve 1.1.1.1 as *either* src or dst. i.e. the "flow:established" rules will never trigger for 1.1.1.1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort + squid proxy Leonardo Pezente (Nov 22)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)
- Re: snort + squid proxy Jason Haar (Nov 24)
- Re: snort + squid proxy Tony Robinson (Nov 24)