[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?

shawn . moyer shawn at ...1184...
Fri Mar 16 12:18:43 EST 2001


"Robinson, Ken" wrote:
 
> Are any of the Snort rules looking for two way communication, or are they
> all only one way?   I.e. It's a hit if a request is made and a certain
> response is sent back?

Yes, No, and Yes. Snort's signature language is pretty flexible, so
there are bidirectional rules as well as rules that fire after a number
of conditions are met ("activate" rules).
 
> If there are rules depending on seeing both directions, does a '-i any' work
> with the EtherTap to detect the full flow, or does it see it as 2 unrelated
> flows?

Packet collection happens before rule processing, i.e. all the packets
are sucked up into the 'packet grinder' and then processed against the
ruleset. No worries. :)


--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny




More information about the Snort-users mailing list