Snort mailing list archives

RE: Snort, Stream4 State and Ethernet Taps.

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 1 May 2002 10:34:28 -0400

From: larosa, vjay [mailto:larosa_vjay () emc com]

I was just thinking about something, If I have an ethernet 
full duplex 100
Mb link, and I insert an ethernet tap that splits
the full duplex link in to two half duplex streams, then run 
two seperate
instances of snort to monitor each half duplex link.
How will this affect the Stream 4 preprocessor with regards 
to TCP state? If
the initial syn goes out past one snort
process, the syn-ack comes back in past the second snort 
process and the
final ack in the TCP three way handshake
goes out past snort process 1 again. Will snort ignore this 
conversation now
and not pass on the packets for rules parsing becuase the 
handshake was not
seen entirely by one snort process? Or will Stream 4 assume 
bi-directional
flow is in play
on each process because process 1 saw the syn as well as the ack, and
process 2 saw a syn-ack?


Take a look at the mail archive.  There was a tread on this topic last
week...

http://sourceforge.net/search/?type=mlists&exact=1&q=taps&offset=25&group_id
=3357&forum_id=3972


- Jeff

Current thread:

Snort, Stream4 State and Ethernet Taps. larosa, vjay (Apr 30)
- <Possible follow-ups>
- RE: Snort, Stream4 State and Ethernet Taps. Wirth, Jeff (May 01)
  - Alerting Snort (sending alert through pager) Alwin Raymundo (May 03)
- RE: Snort, Stream4 State and Ethernet Taps. counter . spy (May 01)
- RE: Snort, Stream4 State and Ethernet Taps. larosa, vjay (May 01)
- RE: Snort, Stream4 State and Ethernet Taps. counter . spy (May 01)