Snort mailing list archives
Re: [Resolved] Snort stateless/asymmetric mode
From: Rodolfo Etore <rponteado () gmail com>
Date: Wed, 15 May 2013 13:37:26 -0300
Thanks for your time guys, That cant be done. 2013/5/10 Joel Esler <jesler () sourcefire com>:
Snort needs to see both sides of the conversation in order for it to work right. On May 9, 2013, at 8:42 PM, James Lay <jlay () slave-tothe-box net> wrote: I do not think Snort will do what you're hoping…I'll defer to smarter folks here. James On May 9, 2013, at 9:05 AM, Rodolfo Etore <rponteado () gmail com> wrote: 2013/5/8 James Lay <jlay () slave-tothe-box net>I do work with a company that has multiple paths out, so I think I know where you're at. Solution was/is to have a single machine with multiple nics, have each path's get a spanned port, and then use daq to listen to all the each interface in each path. Bonus was that one instance of snort handles all external traffic, no matter which path it comes/goes. Hope that sorta helps. JamesHello boss, I do understand your point of view but this won't help us at this point, i would like to know if there's a way i could set snort to match with only fragments of the packet, like only the GET or only the response.On May 8, 2013, at 2:16 PM, Rodolfo Etore <rponteado () gmail com> wrote: Hello, thanks for your quickly response here, 2013/5/8 James Lay <jlay () slave-tothe-box net>On 2013-05-08 12:54, Rodolfo Etore wrote:Hello all, Can you please help me with the following situation: I have two sensors, our network team created a portchannel to connect both sensors on the same network, and now the situation we are facing is this, the traffic comes into one sensor and gets out trough the order sensor, this way snort is not matching any rules, so i would like to check with you if there is an way so we can inspect the traffic in some sort of stateless mode, because it only matches when traffic gets out in the same sensor it got in. Many thanks for your help.By sensor are you meaning a different machine/snort instance/interface? Could you describe it in a litter more detail?A sensor is basically a machine, and each machine has one bridge with one snort instance running. The two machines have the very same configuration. What happens is that in some situations we have the inbound packets trough one machine and the outbound packets trough the second machine, as mentioned early this way snort signature are not matching.James ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Muito obrigado desde já ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Muito obrigado desde já ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Muito obrigado desde já ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Resolved] Snort stateless/asymmetric mode Rodolfo Etore (May 15)