[Snort-users] Asynchronous routing

Rich Walchuck walchuck at ...264...
Sun Aug 6 22:05:39 EDT 2000

Actually "asynchronous routing" is a valid term if you mean that there may be
multiple paths to/from the network whereas the outbound connection may not
necessarily traverse the same route back as it was received. This is possible
if there are multiple routers and peering points to a network.

Since Snort does not currently perform TCP stream reassembly this should not 
be much of an issue. However, an easy method to solve this is bring both
(one from each core switch) back to another small switch (such as the cisco
and span both ports to a third port where you place your IDS (or sniffer).


At 12:44 PM 8/6/00 -0700, Dragos Ruiu wrote:
>On Sat, 05 Aug 2000, Lance Spitzner wrote:
>> Routing buddy of mine wanted to know the following about
>> snort.
>> --- snip snip ---
>> Our particular network configuration leads to asynchronous routing,
>> we could in theory do synchronous detection with a sniffer, that 
>> has two input interfaces, one from each core switch. The sniffer
>> would have to be able to watch both sides of a conversation on
>> different interfaces.
>Semantic quibbling, but....You may be using the wrong terms here.
>Synchronous means that data appears only when synchronized to 
>some time base... I.e. the bits on a T1 line are synchronous at a
>rate of 1.544 Mbps.  Asynchronous means that the data can 
>show up at any time, like the IP packets traveling superimposed
>on those synchronized T1 1.544 Mbps bitstream.  The asynchronous
>arrival of data in the synchronous 53 byte cell in ATM is
>where the name Asynchronous Transfer Mode comes from.
>Reading from your question you probably mean full and half duplex
>methinks.... Anyway...
>> As far as we know, no commercial sniffer is capable of this at this time.
>> However, we beleive that it is technically feasable. Of course one would
>> have to keep track of the state of every connection.
>There are commercial multiport sniffers, but they tend to be the expensive
>hw device variety.  Probably the most famous of these (because for a long
>time it was the only commercial multiport ethernet sniffer) is the
>Wandel&Goltermann DA-30, but that is an old product and W&G may
>have finally replaced it and put some multi-port capability in their
>newer Domino series of undercradles. At HP we had some fairly
>pricy ($100K+) boxes that I was product manager for that also did
>this.  HP has probably come out with others in the last few years too...
>The HP Internet Advisor guys have been threatening (;-) to come 
>out with multiport for oh... about 10 years now. (Sorry for the shot
>if you read this, Bill and Hamish :-) So they may have finally released
>something since I left.
>> Are any of the IDS signatures snort uses reliant upon seeing both sides
of the
>> conversation ? I assume that some are. Could we add a second input to the 
>> packet engine so that it appears as one stream of data from two physical
>> interfaces ?
>Snort is currently a state-less (some preprocessors excepted) IDS and there
>are no signatures that rely on seeing something in one direction and then
>something in the other direction.  It goes through its signature list for
>every packet - though I can think of some scenarios where it would be 
>nice to be able to have signatures dynamically turn other rules on and off
>That said, there is very little except a little coding(:-) that stops
snort from
>integrating data from multiple interfaces into one snort - but it currently
>wouldn't buy you very much over running a couple of instances of snort,
>and so that's the reason why no-one has jumped up to develop this.  I
>don't think it would be too hard....  but it would be much more useful once
>snort would start handling some rules of a "stateful" nature.  The
>nature of snort is one the reasons it runs with such great performance, imho,
>so we should be wary of such design mods and consider carefully.
>Anyway, Lance, if your buddy wants to describe his objective further, there
>may be a way to acheive it without a great deal of work.... just tell us more
>about what you are trying to actually get done.
>dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list