[Snort-devel] Race Conditions
Kreimendahl, Chad J
Chad.Kreimendahl at ...1167...
Tue May 7 07:32:03 EDT 2002
If you really wanted the trouble... You could insert all of the signatures
beforehand... (yeah, not a fun proposition).
I haven't actually seen this happen, where you have 2 instances of a
signature because two snorts found it at the same time.... It should happen,
but I have yet to do it. Is there a need for you to see it both places?
We turn off rules in certain places because they'll only be duplicates...
For example... Watching the outside and inside of a f/w. Since anything
that actually gets through would be of fair significance, you'd want the
majority of rules turned on inside... And likely have a smaller subset of
rules for the outside... Where you could log any extra data which may help
you catch a suspected attacker before they actually get through your f/w.
From: Blyth A J C (Comp) [mailto:ajcblyth at ...1255...]
Sent: Tuesday, May 07, 2002 7:30 AM
To: 'snort-devel at lists.sourceforge.net'
Subject: [Snort-devel] Race Conditions
One a network we have several intrusion detection systems running. How do
you get round the problem of two snort systems detecting the same event at
the same time and reporting it to the data base. If the signature had not
been seen before that both sensors would attempt to insert the signature for
the first time. One would succedd and one would have. On the console of the
system that failed an error message would be created. So how do you stop
this race conditon?
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth at ...12...
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
More information about the Snort-devel