"Robinson, Ken" wrote:
> Are any of the Snort rules looking for two way communication, or are they
> all only one way?   I.e. It's a hit if a request is made and a certain
> response is sent back?

Yes, No, and Yes. Snort's signature language is pretty flexible, so
there are bidirectional rules as well as rules that fire after a number
of conditions are met ("activate" rules).
> If there are rules depending on seeing both directions, does a '-i any' work
> with the EtherTap to detect the full flow, or does it see it as 2 unrelated
> flows?

Packet collection happens before rule processing, i.e. all the packets
are sucked up into the 'packet grinder' and then processed against the
ruleset. No worries. :)



