[Snort-users] Asynchronous routing

Lance Spitzner lance at ...185...
Sat Aug 5 15:26:46 EDT 2000


Routing buddy of mine wanted to know the following about
snort.

--- snip snip ---

Our particular network configuration leads to asynchronous routing,
we could in theory do synchronous detection with a sniffer, that 
has two input interfaces, one from each core switch. The sniffer
would have to be able to watch both sides of a conversation on
different interfaces.

As far as we know, no commercial sniffer is capable of this at this time.
However, we beleive that it is technically feasable. Of course one would
have to keep track of the state of every connection.

Are any of the IDS signatures snort uses reliant upon seeing both sides of the
conversation ? I assume that some are. Could we add a second input to the 
packet engine so that it appears as one stream of data from two physical
interfaces ?

--- snip snip ----


Thanks!

lance





More information about the Snort-users mailing list