[Snort-users] Asynchronous routing
cec at ...68...
Sat Aug 5 23:12:20 EDT 2000
Snort is currently packet based. All of the attack signatures currently
rely on the attack identifier to be in one packet (port scans and
fragmented packets excluded). So snort looks for a phrase contained in a
packet or the TCP flags on a packet or packets going to a specific port,
Some of this may change soon. I recently submitted a beta of a TCP stream
reassembly module to the snort maintainers. If this is incorporated, one
could conceive of plugins which monitor both sides of the connections. I
can't imagine that (a future version) snort would care which interface the
packets came in on. The current version can only listen to one interface,
I believe future versions will be able to listen to multiple interfaces.
Once the packets have been sent to the detection engine, it won't matter
which interface they came from.
Does this help answer your question?
Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC 27708-0291
PH: 919-660-5248 FAX: 919-660-5293 email: cec at ...68...
On Sat, 5 Aug 2000, Lance Spitzner wrote:
> Routing buddy of mine wanted to know the following about
> --- snip snip ---
> Our particular network configuration leads to asynchronous routing,
> we could in theory do synchronous detection with a sniffer, that
> has two input interfaces, one from each core switch. The sniffer
> would have to be able to watch both sides of a conversation on
> different interfaces.
> As far as we know, no commercial sniffer is capable of this at this time.
> However, we beleive that it is technically feasable. Of course one would
> have to keep track of the state of every connection.
> Are any of the IDS signatures snort uses reliant upon seeing both sides of the
> conversation ? I assume that some are. Could we add a second input to the
> packet engine so that it appears as one stream of data from two physical
> interfaces ?
> --- snip snip ----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users