Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort behind TAP & asynchronous_link

From: Holger.Woehle () arcor net
Date: Thu, 15 Aug 2002 11:02:33 +0100
Hello,
i always still hang on the problem running snort behind a shomiti ethernet TAP.
That is my network:



             +---+     +---+           +---+
             | S |     | R |           | S |
   +-----+   | W |     | O |           | W |   +-------+
   |     |   | I |     | U |   +---+   | I |   |       |
   |  A  |===| T |=====| T |===|TAP|===| T |===| httpd |
   |     |   | C |     | E |   +---+   | C |   |       |
   +-----+   | H |     | R |     |     | H |   +-------+
             | 1 |     |   |     |     | 2 |
             +---+     +---+     |     +---+
                                 |
                              +-------+
                              | SNORT |
                              +-------+

The TAP sits between the Router and Switch2.
Lower surface of the TAP:

                      +--------------------+
                      |    Century TAP     |
   >from Router=======A                    B===============> to SWITCH 2
                      |                    |
     <to SNORT========Tap A            Tap B
                      |                    |
                      +--------------------Power-----

I am using Snort 1.9.0beta4 and the default snort.conf with one change:
preprozessor stream4: detect_scans, disable_evasion_alerts, asynchronous_link

if a append keepstates i understand that snort logs some infos about states into
/var/log/snort,
but there does not appear something like state.log ?

Snort does not recognize the alerts with the flow:to_server,established
attributes.
I seems to me, that snort does not reassemble the stream.
If i delete the established attribute snort recognises the alert.
But then i run into my other problem (please see thread: snort seas no
fragmented error).

with regards
Holger












-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: