[Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex Ethernet Taps?
ken.robinson at ...1563...
Fri Mar 16 12:43:14 EST 2001
Excellent! Thanks, you just cleared up a lot of concern and testing time.
The more and more I get involved with Snort, the more impressive it becomes.
(Well, I guess it was impressive before I got involved, I just didn't know
it. ;-) )
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: March 16, 2001 12:19 PM
To: Robinson, Ken
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] CAT5 Twisted Pair 100Mbit Full-Duplex
"Robinson, Ken" wrote:
> Are any of the Snort rules looking for two way communication, or are they
> all only one way? I.e. It's a hit if a request is made and a certain
> response is sent back?
Yes, No, and Yes. Snort's signature language is pretty flexible, so
there are bidirectional rules as well as rules that fire after a number
of conditions are met ("activate" rules).
> If there are rules depending on seeing both directions, does a '-i any'
> with the EtherTap to detect the full flow, or does it see it as 2
Packet collection happens before rule processing, i.e. all the packets
are sucked up into the 'packet grinder' and then processed against the
ruleset. No worries. :)
s h a w n m o y e r
shawn at ...1184...
The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.
More information about the Snort-users