[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?

Robinson, Ken ken.robinson at ...1563...
Fri Mar 16 12:43:14 EST 2001


Excellent!   Thanks, you just cleared up a lot of concern and testing time.


The more and more I get involved with Snort, the more impressive it becomes.
(Well, I guess it was impressive before I got involved, I just didn't know
it.  ;-)  )

-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: March 16, 2001 12:19 PM
To: Robinson, Ken
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex
Ethernet Taps?


"Robinson, Ken" wrote:
 
> Are any of the Snort rules looking for two way communication, or are they
> all only one way?   I.e. It's a hit if a request is made and a certain
> response is sent back?

Yes, No, and Yes. Snort's signature language is pretty flexible, so
there are bidirectional rules as well as rules that fire after a number
of conditions are met ("activate" rules).
 
> If there are rules depending on seeing both directions, does a '-i any'
work
> with the EtherTap to detect the full flow, or does it see it as 2
unrelated
> flows?

Packet collection happens before rule processing, i.e. all the packets
are sucked up into the 'packet grinder' and then processed against the
ruleset. No worries. :)


--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny




More information about the Snort-users mailing list